Icecast Streaming Media Server Forum Index Icecast Streaming Media Server
Icecast is a Xiph Foundation Project
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Help on admin

 
Post new topic   Reply to topic    Icecast Streaming Media Server Forum Index -> Icecast Server
View previous topic :: View next topic  
Author Message
woogieman



Joined: 11 Apr 2009
Posts: 33
Location: Eugene, OR. USA

PostPosted: Thu Apr 08, 2010 11:00 am    Post subject: Help on admin Reply with quote

I had to shut down the directory http://yoursite.com:8000/admin/ because of it's vulnerability to allow anyone that could log in the ability to Move or Kick listeners from any account. I still need the information that the admin function gives me.
So my question is: How do I login to the admin area without having to use the authentication dialog box? Is there any way to do it with php accessing the xsl file like the code below?
I was able to get the other stats simply by opening the xsl file and reading it's variables. It's a kludge but it does work.
Code:
         // grab entire page for ip and port to be parsed
         $msg="";
         $host = 'http://'.$ip.':'.$port.'/radio.xsl';
         if ($fp = fopen($host,'r'))
         {
            while(!feof($fp))
            {
                 $msg .= fgets($fp, 500);
            }
            fclose($fp);

            $spl = explode( '<pre>', $msg );
            $spl = str_replace( '</pre>', '', $spl[1] );
            $spl = explode( "<br/>", $spl );
            $flds = $spl[0];
            $spl = explode( "\n", $flds );
            array_shift($spl);
            $data = array();
            $cnt=0;
            foreach($spl as $e)
            {
               if ($e !== '_END_')
               {
                  $p = explode('|', $e);
                  $c = count($p);
                  for ($n=0; $n < $c; $n++)
                  {
                     if (strlen($p[$n])==0)
                        continue;
                     $data[$cnt++] = trim($p[$n]);
                  }
               }
         }
Back to top
View user's profile Send private message Visit poster's website
karlH
Code Warrior
Code Warrior


Joined: 13 Jun 2005
Posts: 5476
Location: UK

PostPosted: Thu Apr 08, 2010 12:29 pm    Post subject: Reply with quote

You'll need to explain the vulnerability in a bit more detail. If you mean that everyone has access to your admin account then that's not really a vulnerability. If there is an issue to resolve then we'd like to hear about it.

karl.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
woogieman



Joined: 11 Apr 2009
Posts: 33
Location: Eugene, OR. USA

PostPosted: Thu Apr 08, 2010 3:44 pm    Post subject: Vulnerability Reply with quote

@karlH: Hey there good to hear from ya. You have helped me much in the past and I appreciate your response.
I don't want to say that it is a big security breach or any big deal.
The scenario is: I have several customers using my icecast2 server(s) and want to give each customer access to admin. But, I only want to give them access to their individual admin. If I give a Username and Password to all of the customers then any customer could move or kick another customers listeners.
I would like a way to open the file using code similar to what I have above. The only problem doing that is the Authentication Dialog that pops up when you access the admin xsl page.
Is their any way to open that page and login using php or any other web language?
I really need the listener info but I also need to be able to make sure no customer can access any other customers data stream.
Thanks again for your help! Hope I was clear.
Back to top
View user's profile Send private message Visit poster's website
karlH
Code Warrior
Code Warrior


Joined: 13 Jun 2005
Posts: 5476
Location: UK

PostPosted: Thu Apr 08, 2010 4:44 pm    Post subject: Reply with quote

The admin pages that take a mount arg will be able to use source user/pass, just like the /admin/metadata does for those updates to non-ogg streams.

karl.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
woogieman



Joined: 11 Apr 2009
Posts: 33
Location: Eugene, OR. USA

PostPosted: Thu Apr 08, 2010 5:06 pm    Post subject: mount arg Reply with quote

I kinda get the idea but can you give me a command line for what you are talking about. ie. http://yoursite.com:8000/admin/ and what else do I say? I also don't know how to access the /admin/metadata either.
Back to top
View user's profile Send private message Visit poster's website
karlH
Code Warrior
Code Warrior


Joined: 13 Jun 2005
Posts: 5476
Location: UK

PostPosted: Thu Apr 08, 2010 5:57 pm    Post subject: Reply with quote

eg http://source:pw@host:8000/admin/stats?mount=/mystream.ogg

just the same urls that you would use with admin access

karl.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
woogieman



Joined: 11 Apr 2009
Posts: 33
Location: Eugene, OR. USA

PostPosted: Thu Apr 08, 2010 11:53 pm    Post subject: admin url Reply with quote

Thanks karlH you're awesome. I will try that link and see if I can log in using the xsl file. I will try it tomorrow as I am off and running. I greatly appreciate the help.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Icecast Streaming Media Server Forum Index -> Icecast Server All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2002 phpBB Group
subRebel style by ktauber