Icecast 1.1.x/1.3.x - Slash File Name Denial of Service

Author: gollum
type: dos
platform: multiple
port: 
date_added: 2001-06-26 
date_updated: 2012-09-01 
verified: 1 
codes: CVE-2001-1083;OSVDB-5472 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/2933/info

Icecast is an open source audio-streaming server for both Unix and Microsoft Windows systems.

Icecast does not sufficiently sanitize user-supplied input, or sanely handle unexpected input. Upon receiving a request from a user for a file that ends with a slash or period, the server will crash. The behaviour occurs when the remote attacker adds an '/', '\' or '.' to the end the URL they craft to request the file. The request of an existing file is not necessary, as the Icecast server will fail regardless.

http://localhost:8000/file//

NOTE: File is interpreted by Icecast as the 'root' directory and anything after 'file/' indicates the file request. The character '/' triggers the denial of service.