Icecast is an open source audio-streaming server for both Unix-based and Microsoft Windows systems. Icecast contains multiple vulnerabilities that can allow a remote attacker to crash the server or traverse the server's directories and files.
The disruption of service is caused by Icecast not properly handling user input. An attacker can create a malformed file request through the URL to the server to cause the server to crash by appending a '/', '\', and '.' to the end of the URL. The remote attacker does not have to request an existing file in order to exploit this vulnerability.
The directory traversal vulnerability is caused by Icecast not properly handling encoded characters. An attacker can create a malformed URL containing encoded ASCII characters to bypass the URL filtering mechanism and successfully access known files. The remote attacker can exploit this vulnerability to read files accessible by Icecast server's group membership, which includes files outside of Icecast's root directory.