[vlc-devel] VLC 0.9.8a Web UI (input) Remote Denial of Service

Rémi Denis-Courmont rem at videolan.org
Tue Mar 17 19:09:25 CET 2009

Le lundi 16 mars 2009 23:54:01 פלדמן פלדמן, vous avez écrit :
> Sorry I haven't been posting this before I published the exploit. Guess
> It's better late than never..
> VLC 0.9.8a suffers from a remote stack overflow in the web UI which can be
> exploited to remotely cause a denial of service. The bug can be exploited
> by sending an HTTP GET request to status.xml with the argument "input"
> overflowed by an around 2,000,000 character long buffer.

Well yeah. It is actually a genuine stack overflow, not a stack-based buffer 
overflow. But only trusted users shall be granted access to the HTTP 
interface, otherwise you have more serious problems in the first place.

Rémi Denis-Courmont

More information about the vlc-devel mailing list