Icecast - Feb 2023 - Send admin kill request to server

Good afternoon,

On Sat, 2023-02-18 at 13:23 +0100, HGAlt wrote:
> Hi everybody,
>  
> finally I found a solution!
>  
> First, Icecast requires a Basic Authorization, which has to provide
> via a header.
This is not fully correct. It depends on the configuration and may
change with different versions of the server.

An important note here, and to be honest the main reason why I answer:
NEVER EVER just append a random Authorization:-header without
implementing all of the HTTP authorisation mechanism. If you do so you
basically are broadcasting cleartext passwords to random peers, and are
likely to get in trouble with changes of software versions or
configurations. It is a big no-go. Always use the mechanism as provided
by your HTTP implementieren.

Please see the relevant standards for a full discussion on how and why
this breaks security and interoperability.

> But this can?t be done via JavaScript or JQuery, due the security
> features of the browsers.
> For more detail information see 
>
https://stackoverflow.com/questions/75463305/difference-basic-authorization-between-postman-and-jquery-ajax/75493285#75493285
> .
If you adhere to CORS it works fine for me. A simple XHR request with
credentials passed via open() worked.

Naturally you are bound to CORS. Icecast can announce any kind of CORS
settings via it's config.

XHR also allows you direct access to the response Icecast gives you as
it provides you with the response's DOM. So you can directly check the
result. :)


With best regards,
> Von: Icecast [mailto:icecast-bounces at xiph.org] Im Auftrag von HGAlt
> Gesendet: Donnerstag, 16. Februar 2023 15:49
> An: 'Icecast streaming server user discussions'
> Betreff: Re: [Icecast] Send admin kill request to server
>  
> Hi Fred,
>  
> I am understand the requirements already a little bit better.
> 
> What I have to Do is a HTTP GET with a Basic Authorization in the
> header. I have tested it with ?Postman? and it works fine with
> Icecast.
> But I have to do it with Javascript or JQuery. Therefore curl doesn?t
> help me.
>  
> I try to use Ajax for that, but something goes wrong.
> If I do it without Autorization, I got a return message which says
> 'Authentication required'.
> If I enable the Autorization it tells me only readyState: 0.
>  
> If I will find a solution, I will post it here.
>  
> Cheers
>  
> Von: Icecast [mailto:icecast-bounces at xiph.org] Im Auftrag von Fred
> Gleason
> Gesendet: Mittwoch, 15. Februar 2023 16:57
> An: Icecast streaming server user discussions
> Betreff: Re: [Icecast] Send admin kill request to server
>  
> On Feb 14, 2023, at 13:24, HGAlt <hgalt at gmx.net> wrote:
>  
> > I am a little bit confused!
> > 
> >
http://192.168.1.10:8000/admin/killclient?mount=/mystream.ogg&id=21
> > 
> > This is an example of the Icecast documentation for kill a client.
> > And this is a HTTP GET, which is send to the Icecast server.
> > You also wrote, that there are no user and pass for an API.
> > 
> > What I have to know, what does the Icecast server expect?
> > If there is no user and pass, how the server knows, that is a valid
> > request.
> 
>  
> You should be able to send this with proper HTTP authentication
> parameters by using CURL. Something like:
>  
>             curl -u admin:hackme 
> http://192.168.1.10:8000/admin/killclient?mount=/mystream.ogg&id=21
>  
> This is different from encoding the parameters as if they were part
> of an HTML form.
> 
-- 
Philipp Schafft (CEO/Gesch?ftsf?hrer)
Telephone:           +49.3535 490 17 92
Website:             https://www.loewenfelsen.net/
Follow us:           https://www.linkedin.com/company/loewenfelsen/
Gesch?ftsf?hrer/CEO: Philipp Schafft

L?wenfelsen UG (haftungsbeschr?nkt)     Registration number:
Bickinger Stra?e 21                     HRB 12308 CB
04916 Herzberg (Elster)                 VATIN/USt-ID:
Germany                                 DE305133015
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.xiph.org/pipermail/icecast/attachments/20230218/7791366a/attachment.sig>

Good Morning Philipp,

that make be a good point.
But it would be very helpful, if in the Icecast documentation would be very
clear defined, which kind of authorization is required for which server version.

At least, I could not find anything!

-----Urspr?ngliche Nachricht-----
Von: Icecast [mailto:icecast-bounces at xiph.org] Im Auftrag von Philipp Schafft
Gesendet: Samstag, 18. Februar 2023 20:53
An: Icecast streaming server user discussions
Betreff: Re: [Icecast] Send admin kill request to server

Good afternoon,

On Sat, 2023-02-18 at 13:23 +0100, HGAlt wrote:
> Hi everybody,
>
> finally I found a solution!
>
> First, Icecast requires a Basic Authorization, which has to provide
> via a header.
This is not fully correct. It depends on the configuration and may change with
different versions of the server.

An important note here, and to be honest the main reason why I answer:
NEVER EVER just append a random Authorization:-header without implementing all
of the HTTP authorisation mechanism. If you do so you basically are broadcasting
cleartext passwords to random peers, and are likely to get in trouble with
changes of software versions or configurations. It is a big no-go. Always use
the mechanism as provided by your HTTP implementieren.

Please see the relevant standards for a full discussion on how and why this
breaks security and interoperability.

> But this can?t be done via JavaScript or JQuery, due the security
> features of the browsers.
> For more detail information see
> https://stackoverflow.com/questions/75463305/difference-basic-authoriz
> ation-between-postman-and-jquery-ajax/75493285#75493285
> .
If you adhere to CORS it works fine for me. A simple XHR request with
credentials passed via open() worked.

Naturally you are bound to CORS. Icecast can announce any kind of CORS settings
via it's config.

XHR also allows you direct access to the response Icecast gives you as it
provides you with the response's DOM. So you can directly check the result.
:)


With best regards,
> Von: Icecast [mailto:icecast-bounces at xiph.org] Im Auftrag von HGAlt
> Gesendet: Donnerstag, 16. Februar 2023 15:49
> An: 'Icecast streaming server user discussions'
> Betreff: Re: [Icecast] Send admin kill request to server
>
> Hi Fred,
>
> I am understand the requirements already a little bit better.
>
> What I have to Do is a HTTP GET with a Basic Authorization in the
> header. I have tested it with ?Postman? and it works fine with
> Icecast.
> But I have to do it with Javascript or JQuery. Therefore curl doesn?t
> help me.
>
> I try to use Ajax for that, but something goes wrong.
> If I do it without Autorization, I got a return message which says
> 'Authentication required'.
> If I enable the Autorization it tells me only readyState: 0.
>
> If I will find a solution, I will post it here.
>
> Cheers
>
> Von: Icecast [mailto:icecast-bounces at xiph.org] Im Auftrag von Fred
> Gleason
> Gesendet: Mittwoch, 15. Februar 2023 16:57
> An: Icecast streaming server user discussions
> Betreff: Re: [Icecast] Send admin kill request to server
>
> On Feb 14, 2023, at 13:24, HGAlt <hgalt at gmx.net> wrote:
>
> > I am a little bit confused!
> >
> >
http://192.168.1.10:8000/admin/killclient?mount=/mystream.ogg&id=21
> >
> > This is an example of the Icecast documentation for kill a client.
> > And this is a HTTP GET, which is send to the Icecast server.
> > You also wrote, that there are no user and pass for an API.
> >
> > What I have to know, what does the Icecast server expect?
> > If there is no user and pass, how the server knows, that is a valid
> > request.
>
>
> You should be able to send this with proper HTTP authentication
> parameters by using CURL. Something like:
>
>             curl -u admin:hackme
> http://192.168.1.10:8000/admin/killclient?mount=/mystream.ogg&id=21
>
> This is different from encoding the parameters as if they were part of
> an HTML form.
>
--
Philipp Schafft (CEO/Gesch?ftsf?hrer)
Telephone:           +49.3535 490 17 92
Website:             https://www.loewenfelsen.net/
Follow us:           https://www.linkedin.com/company/loewenfelsen/
Gesch?ftsf?hrer/CEO: Philipp Schafft

L?wenfelsen UG (haftungsbeschr?nkt)     Registration number:
Bickinger Stra?e 21                     HRB 12308 CB
04916 Herzberg (Elster)                 VATIN/USt-ID:
Germany                                 DE305133015


--
Diese E-Mail wurde von Avast-Antivirussoftware auf Viren gepr?ft.
www.avast.com