Vulnerability

    Winamp SHOUTcast server

Affected

    Winamp SHOUTcast server

Description

    Michael Arrow found following.   He was was recently setting  up a
    Nullsoft SHOUTcast server  to relay some  content when he  noticed
    the  Administrator   password  is   stored  plain   text  in   the
    configuration file (./sc_serv.conf by default).

    The  password  is  also  LOGGED  when the web based administration
    tool is used.  It can  be obtained by simply grep'ing the  logfile
    output.  The offending line is here:

        <08/20/99@06:11:41> [http:1 my.computer.com] REQ:"/admin.cgi?pass=joltcola&mode=viewlog" (Mozilla/4.0 (compatible; MSIE 5.0; Windows 98))

    Obtaining  the  Administrator  password  allows administration via
    the web  based system,  as well  has hijacking  the content stream
    going out to listeners.

Solution

    Quick  fix  would  be  simply  chmod  the  log and config files to
    prevent world reading.  Nullsoft should of course parse there  log
    output for sensitive data, and possibly look into UNIX crypt() for
    its passwords.

    It seems  that many  people still  do not  get the  idea that POST
    should  be   used  instead   of  GET   in  any   situation   where
    authentication takes place  via an HTML  page.  The  GET arguments
    can show up  not only in  a web server  log, but in  the log of  a
    proxy  server  standing  between  the  web  server  and the person
    trying to authenticate.