CVE-2002-1470 in SHOUTcast Server
Summary
by MITRE
SHOUTcast 1.8.9 and earlier allows local users to obtain the cleartext administrative password via a GET request to port 8001, which causes the password to be logged in the world-readable sc_serv.log file.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/05/2025
This vulnerability exists in SHOUTcast server versions 1.8.9 and earlier, where a local attacker can exploit a misconfiguration to retrieve administrative credentials through a simple GET request to port 8001. The flaw stems from the server's improper handling of administrative authentication requests, which results in cleartext passwords being written to a world-readable log file named sc_serv.log. This represents a critical security oversight that violates fundamental principles of credential protection and access control. The vulnerability is classified under CWE-256 as "Incomplete Password Recovery or Reset Functionality" and also relates to CWE-778 as "Insufficient Logging" since the system fails to properly secure sensitive information in its logging mechanisms.
The technical execution of this exploit requires only local network access to the affected server and involves sending a specific GET request to port 8001, which triggers the server to log administrative credentials in plaintext format. This logging behavior creates a persistent security risk since the log file is world-readable, meaning any user on the system or network can access the sensitive information. The vulnerability demonstrates poor security design practices where administrative credentials are not properly obfuscated or protected during server operations, creating an attack surface that directly exposes privileged access information. This flaw enables privilege escalation attacks and provides attackers with immediate administrative control over the streaming server.
The operational impact of this vulnerability extends beyond simple credential theft, as it fundamentally compromises the security posture of any system running vulnerable SHOUTcast versions. Once an attacker obtains the administrative password, they gain complete control over the streaming server, including the ability to modify content, configure server settings, add or remove streams, and potentially use the server as a pivot point for further attacks within the network. The vulnerability also creates a persistent backdoor since the password remains exposed in the log file until manually cleared or rotated. This type of vulnerability aligns with ATT&CK technique T1566 as "Phishing" and T1078 as "Valid Accounts" since it provides unauthorized access through legitimate administrative credentials, and T1562 as "Impair Defenses" since it undermines the server's own logging and authentication mechanisms.
Mitigation strategies for this vulnerability require immediate patching of affected SHOUTcast installations to versions that properly handle administrative credential logging. System administrators should ensure that log files are properly secured with appropriate file permissions and that sensitive information is not written to world-readable locations. The recommended approach includes implementing proper access controls on log directories, enabling log rotation with secure permissions, and configuring the server to either obfuscate or completely omit administrative credentials from log output. Additionally, network segmentation and monitoring should be implemented to detect unauthorized access attempts to port 8001, and regular security audits should verify that logging mechanisms properly protect sensitive information. Organizations should also establish incident response procedures for detecting and responding to credential exposure events, as this vulnerability represents a significant risk to digital asset security and compliance with information protection standards.