[vlc-devel] VLC 0.9.8a Web UI (input) Remote Denial of Service
Rémi Denis-Courmont
rem at videolan.org
Tue Mar 17 19:09:25 CET 2009
Le lundi 16 mars 2009 23:54:01 פלדמן פלדמן, vous avez écrit :
> Sorry I haven't been posting this before I published the exploit. Guess
> It's better late than never..
>
> VLC 0.9.8a suffers from a remote stack overflow in the web UI which can be
> exploited to remotely cause a denial of service. The bug can be exploited
> by sending an HTTP GET request to status.xml with the argument "input"
> overflowed by an around 2,000,000 character long buffer.
Well yeah. It is actually a genuine stack overflow, not a stack-based buffer
overflow. But only trusted users shall be granted access to the HTTP
interface, otherwise you have more serious problems in the first place.
--
Rémi Denis-Courmont
More information about the vlc-devel
mailing list