----------------------------------------------------------

Description:

There exists a vulnerability in SHOUTcast, which can be exploited via
script insertion attacks.  Input passed to the incoming SHOUTcast web
interface (default is port 8000) is not properly sanitized.
Therefore, the input can contain arbitrary HTML and script code which
will be outputted to the log file without being sanitized.  Upon
viewing the log file in the browser via the administrator panel, the
malicious code will be executed in the administrator's browser.

----------------------------------------------------------

Affected Versions:

The vulnerability is confirmed in version 1.9.8.  Other versions may
also be affected.

----------------------------------------------------------

Method:

Construct a basic HTTP GET request destined to the victim's SHOUTcast
web interface.  Insert the malicious code in the User Agent field of
the packet.

----------------------------------------------------------

Solution:

Filter malicious characters and character sequences before logging the
input to the log file, and also before displaying the contents of the
log file in the browser.

----------------------------------------------------------

Discovered on:

December 15, 2008

----------------------------------------------------------

Discovered by:

Stephen Komal, Ronald Gutierrez, Joseph Puran

----------------------------------------------------------

Special thanks to our elite instructors:

Dan Guido, Mike Zusman, Erik Cabetas, Dean De Beer, Dino Dai Zovi,
Stephen A. Ridley

----------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/