View previous topic :: View next topic |
Author |
Message |
woogieman
Joined: 11 Apr 2009 Posts: 33 Location: Eugene, OR. USA
|
Posted: Thu Apr 08, 2010 11:00 am Post subject: Help on admin |
|
|
I had to shut down the directory http://yoursite.com:8000/admin/ because of it's vulnerability to allow anyone that could log in the ability to Move or Kick listeners from any account. I still need the information that the admin function gives me.
So my question is: How do I login to the admin area without having to use the authentication dialog box? Is there any way to do it with php accessing the xsl file like the code below?
I was able to get the other stats simply by opening the xsl file and reading it's variables. It's a kludge but it does work.
Code: |
// grab entire page for ip and port to be parsed
$msg="";
$host = 'http://'.$ip.':'.$port.'/radio.xsl';
if ($fp = fopen($host,'r'))
{
while(!feof($fp))
{
$msg .= fgets($fp, 500);
}
fclose($fp);
$spl = explode( '<pre>', $msg );
$spl = str_replace( '</pre>', '', $spl[1] );
$spl = explode( "<br/>", $spl );
$flds = $spl[0];
$spl = explode( "\n", $flds );
array_shift($spl);
$data = array();
$cnt=0;
foreach($spl as $e)
{
if ($e !== '_END_')
{
$p = explode('|', $e);
$c = count($p);
for ($n=0; $n < $c; $n++)
{
if (strlen($p[$n])==0)
continue;
$data[$cnt++] = trim($p[$n]);
}
}
}
|
|
|
Back to top |
|
|
karlH Code Warrior
Joined: 13 Jun 2005 Posts: 5476 Location: UK
|
Posted: Thu Apr 08, 2010 12:29 pm Post subject: |
|
|
You'll need to explain the vulnerability in a bit more detail. If you mean that everyone has access to your admin account then that's not really a vulnerability. If there is an issue to resolve then we'd like to hear about it.
karl. |
|
Back to top |
|
|
woogieman
Joined: 11 Apr 2009 Posts: 33 Location: Eugene, OR. USA
|
Posted: Thu Apr 08, 2010 3:44 pm Post subject: Vulnerability |
|
|
@karlH: Hey there good to hear from ya. You have helped me much in the past and I appreciate your response.
I don't want to say that it is a big security breach or any big deal.
The scenario is: I have several customers using my icecast2 server(s) and want to give each customer access to admin. But, I only want to give them access to their individual admin. If I give a Username and Password to all of the customers then any customer could move or kick another customers listeners.
I would like a way to open the file using code similar to what I have above. The only problem doing that is the Authentication Dialog that pops up when you access the admin xsl page.
Is their any way to open that page and login using php or any other web language?
I really need the listener info but I also need to be able to make sure no customer can access any other customers data stream.
Thanks again for your help! Hope I was clear. |
|
Back to top |
|
|
karlH Code Warrior
Joined: 13 Jun 2005 Posts: 5476 Location: UK
|
Posted: Thu Apr 08, 2010 4:44 pm Post subject: |
|
|
The admin pages that take a mount arg will be able to use source user/pass, just like the /admin/metadata does for those updates to non-ogg streams.
karl. |
|
Back to top |
|
|
woogieman
Joined: 11 Apr 2009 Posts: 33 Location: Eugene, OR. USA
|
Posted: Thu Apr 08, 2010 5:06 pm Post subject: mount arg |
|
|
I kinda get the idea but can you give me a command line for what you are talking about. ie. http://yoursite.com:8000/admin/ and what else do I say? I also don't know how to access the /admin/metadata either. |
|
Back to top |
|
|
karlH Code Warrior
Joined: 13 Jun 2005 Posts: 5476 Location: UK
|
|
Back to top |
|
|
woogieman
Joined: 11 Apr 2009 Posts: 33 Location: Eugene, OR. USA
|
Posted: Thu Apr 08, 2010 11:53 pm Post subject: admin url |
|
|
Thanks karlH you're awesome. I will try that link and see if I can log in using the xsl file. I will try it tomorrow as I am off and running. I greatly appreciate the help. |
|
Back to top |
|
|
|