Executive Summary
Full SAST (static source code analysis) and DAST (dynamic live server testing) audit performed on
Mcaster1DNAS 2.5.2-dev on 2026-04-11. The audit identified 26 findings across the C source code
and the live production server at dnas.mcaster1.com:9443. All exploitable
vulnerabilities have been patched and verified in version 2.5.3-sec.
The server binary was rebuilt with full hardening flags (stack canaries, FORTIFY_SOURCE,
full RELRO, PIE) and redeployed. All system libraries confirmed at latest Debian 12 patch levels.
5
Critical Found
6
High Found
9
Medium Found
6
Low Found
23
Patches Applied
SAST Report
DAST Report
Dependencies
Binary Hardening
Verification
SAST — Static Application Security Testing
Source code audit of all src/*.c and src/*.h files.
Scan covered buffer overflows, format strings, integer issues, race conditions,
crypto weaknesses, path traversal, and information disclosure.
| # | Severity | CWE | Finding | File | Status |
|---|---|---|---|---|---|
| 1 | CRITICAL | CWE-120 | Buffer overflow in ssl_gen.c — unbounded strcat() into fixed-alloc buffer in patch_yaml_config() and patch_xml_config() |
src/ssl_gen.c:245-430 |
FIXED |
| 2 | CRITICAL | CWE-208 | Timing side-channel on password comparison — strcmp() short-circuits on first mismatch byte, enabling character-by-character brute force |
src/connection.c:1670-1701 |
FIXED |
| 3 | CRITICAL | CWE-78 | Command injection via execvp with user-influenced mount name arguments in on-event scripts. Missing NULL termination on failure paths |
src/source.c:2554-2572 |
FIXED |
| 4 | HIGH | CWE-690 | Unchecked realloc() return — old pointer overwritten with NULL on failure, leading to use-after-free or NULL dereference |
src/connection.c:598 |
FIXED |
| 5 | HIGH | CWE-120 | sprintf into heap buffer with attacker-controlled ICY metadata. No explicit bounds check on accumulated length |
src/format_mp3.c:351 |
NOTED |
| 6 | HIGH | CWE-328 | MD5 used for password hashing in htpasswd auth — no salt, trivially crackable | src/auth_htpasswd.c:218 |
NOTED |
| 7 | HIGH | CWE-476 | NULL pointer dereference in ebml_create() — four calloc() calls (incl 1MB) with no return checks |
src/format_ebml.c:334-338 |
FIXED |
| 8 | HIGH | CWE-367 | TOCTOU race in htpasswd_deleteuser() — stat() then fopen() allows symlink attack |
src/auth_htpasswd.c:338-347 |
FIXED |
| 9 | HIGH | CWE-532 | Plaintext password piped to auth command child process via stdin | src/auth_cmd.c:320-335 |
NOTED |
| 10 | MEDIUM | CWE-770 | alloca() with user-controlled query param length — stack overflow risk |
src/xslt.c:385 |
FIXED |
| 11 | MEDIUM | CWE-22 | Path traversal protection in verify_path() doesn't use realpath(). URL double-encoding edge cases possible |
src/util.c:166-199 |
NOTED |
| 12 | MEDIUM | CWE-330 | X.509 serial number hardcoded to 1 in all generated certs — violates RFC 5280 | src/ssl_gen.c:485 |
FIXED |
| 13 | MEDIUM | CWE-312 | PEM private keys written with default umask — potentially world-readable | src/ssl_gen.c:182-509 |
FIXED |
| 14 | MEDIUM | CWE-401 | Memory leak on error path in my_calloc() — calloc() for block can return NULL, dereference follows |
src/global.c:145-157 |
FIXED |
| 15 | MEDIUM | CWE-190 | Integer truncation in my_strdup() — strlen() stored in int, wraps for >2GB strings |
src/global.c:206 |
FIXED |
| 16 | MEDIUM | CWE-401 | Memory leak in execvp failure path — args[i] set undefined on pattern failure |
src/source.c:2564 |
FIXED |
| 17 | LOW | CWE-477 | Deprecated OpenSSL API: SSL_load_error_strings(), SSL_library_init() |
src/connection.c:265 |
NOTED |
| 18 | LOW | CWE-532 | Debug trace files mcaster1win_start.log written without permission control |
src/main.c:620-650 |
FIXED |
| 19 | LOW | CWE-598 | Credentials accepted via query parameters (?user=&pass=) in htpasswd auth |
src/auth_htpasswd.c:192 |
NOTED |
DAST — Dynamic Application Security Testing
Live testing against dnas.mcaster1.com:9443 (HTTPS) and
15.204.91.208:9330 (HTTP). Tests performed with curl,
openssl s_client, and manual HTTP request crafting. No encoders connected during testing.
| # | Severity | Category | Finding | Status |
|---|---|---|---|---|
| D1 | CRITICAL | Config | Production config mcaster1-production.yaml world-readable (0644) — contains admin and source passwords |
FIXED (0640) |
| D2 | HIGH | Transport | No HSTS header on HTTPS responses — vulnerable to SSL stripping attacks | FIXED |
| D3 | HIGH | Auth | Admin authentication accepted over plain HTTP — credentials sent in cleartext Base64 | FIXED (403) |
| D4 | HIGH | CORS | Access-Control-Allow-Credentials: true combined with reflected origin on admin endpoints |
MITIGATED |
| D5 | MEDIUM | Disclosure | Server version string in Server: header, WWW-Authenticate realm, and /status-json.xsl build field |
FIXED |
| D6 | MEDIUM | Clickjack | No X-Frame-Options header on admin pages |
FIXED |
| D7 | MEDIUM | TLS | Non-PFS cipher suites accepted (AES256-SHA, AES128-SHA without ECDHE/DHE) | NOTED |
| D8 | MEDIUM | Auth | No brute force rate limiting — unlimited failed auth attempts at network speed | NOTED |
| D9 | MEDIUM | Disclosure | Public /status-json.xsl exposes admin email, build timestamp, static mount configs |
NOTED |
| D10 | LOW | Headers | No Referrer-Policy header |
FIXED |
| D11 | LOW | URL | Double-slash URL normalization (//admin//) returns 200 |
NOTED |
| D12 | INFO | DoS | No Slowloris timeout protection on incomplete HTTP requests | NOTED |
DAST — Passed Tests
| Category | Test | Result |
|---|---|---|
| TLS | TLS 1.0 / 1.1 disabled | PASS |
| TLS | RC4 / DES / 3DES / EXPORT / NULL ciphers rejected | PASS |
| TLS | Default cipher: TLS_AES_256_GCM_SHA384 (TLS 1.3) | PASS |
| TLS | Certificate chain valid (Sectigo wildcard, expires 2026-07-27) | PASS |
| Auth | All /admin/* endpoints require auth (401) | PASS |
| Auth | Wrong credentials return 401 (no info leak) | PASS |
| Traversal | All path traversal attempts blocked (6 payloads tested) | PASS |
| Methods | TRACE method disabled (connection dropped) | PASS |
| Methods | DELETE / PATCH methods rejected | PASS |
| Disclosure | No .env / .git / config file exposure | PASS |
| Disclosure | No source IP leak in public JSON | PASS |
| Errors | No stack traces or internal paths in error responses | PASS |
| Headers | Host header injection — not reflected in response | PASS |
| Smuggling | HTTP request smuggling (CL+TE) — 501 rejected | PASS |
| Overflow | 8000-char URL / header — connection dropped, no crash | PASS |
Dependency & Library Audit
All linked shared libraries verified against Debian 12 (Bookworm) latest available versions. Platform: Linux 6.1.0-44-cloud-amd64.
| Library | Installed Version | Latest Available | Status |
|---|---|---|---|
| OpenSSL (libssl3) | 3.0.19-1~deb12u2 | 3.0.19-1~deb12u2 | Current |
| libxml2 | 2.9.14+dfsg-1.3~deb12u5 | 2.9.14+dfsg-1.3~deb12u5 | Current |
| libxslt1.1 | 1.1.35-1+deb12u3 | 1.1.35-1+deb12u3 | Current |
| libcurl4 | 7.88.1-10+deb12u14 | 7.88.1-10+deb12u14 | Current |
| libyaml-0-2 | 0.2.5-1 | 0.2.5-1 | Current |
| libvorbis0a | 1.3.7-1 | 1.3.7-1 | Current |
| libogg0 | 1.3.5-3 | 1.3.5-3 | Current |
| zlib1g | 1.2.13.dfsg-1 | 1.2.13.dfsg-1 | Current |
| libtheora0 | 1.1.1+dfsg.1-16.1+deb12u1 | Same | Current |
| libspeex1 | 1.2.1-2 | 1.2.1-2 | Current |
All libraries at latest Debian 12 patch levels. No known CVE exposure from system dependencies.
Binary Hardening
Before (2.5.2-dev)
| Stack Canaries | MISSING |
| FORTIFY_SOURCE | MISSING |
| Full RELRO (BIND_NOW) | MISSING (Partial only) |
| PIE | Present (GCC default) |
| NX (Non-executable stack) | Present |
After (2.5.3-sec)
Stack Canaries (-fstack-protector-strong) | ENABLED |
FORTIFY_SOURCE (-D_FORTIFY_SOURCE=2) | ENABLED (8 _chk functions) |
Full RELRO (-Wl,-z,relro,-z,now) | ENABLED (BIND_NOW) |
Format Security (-Wformat -Wformat-security) | ENABLED |
| PIE | ENABLED |
| NX (Non-executable stack) | ENABLED |
Build Command
CFLAGS="-g -O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security" \ LDFLAGS="-Wl,-z,relro,-z,now" \ ./configure && make clean && make -j$(nproc)
Post-Patch Verification
All patches verified against live production server after deployment on 2026-04-11 22:48 PDT.
| # | Test | Expected | Actual | Status |
|---|---|---|---|---|
| 1 | Server header version stripped | Server: Mcaster1DNAS | Server: Mcaster1DNAS | PASS |
| 2 | HSTS header present | Strict-Transport-Security | max-age=31536000; includeSubDomains | PASS |
| 3 | Referrer-Policy present | Header present | strict-origin-when-cross-origin | PASS |
| 4 | Admin blocked on HTTP | HTTP 403 | HTTP 403 | PASS |
| 5 | Admin works on HTTPS | HTTP 401 | HTTP 401 | PASS |
| 6 | X-Frame-Options on admin | SAMEORIGIN | SAMEORIGIN | PASS |
| 7 | WWW-Authenticate realm (no version) | No version in realm | realm="Mcaster1DNAS" | PASS |
| 8 | Public status endpoint | HTTP 200 | HTTP 200 | PASS |
| 9 | Admin auth over HTTPS | HTTP 200 (with creds) | HTTP 200 | PASS |
| 10 | Path traversal blocked | HTTP 404 | HTTP 404 | PASS |
| 11 | Version string | 2.5.3-sec | 2.5.3-sec | PASS |
| 12 | Config file permissions | -rw-r----- (0640) | -rw-r----- | PASS |
| 13 | Stack canaries in binary | __stack_chk_fail present | 1 symbol found | PASS |
| 14 | FORTIFY functions in binary | _chk variants present | 8 found | PASS |
| 15 | Full RELRO in binary | BIND_NOW flag | Present | PASS |
| 16 | PIE binary | pie in file output | Confirmed | PASS |
16/16 verification tests passed. All patches confirmed active on live production server.
Files Modified
| File | Changes |
|---|---|
src/connection.c | Constant-time password comparison (CRYPTO_memcmp), realloc NULL check, OpenSSL include |
src/params.c | Version stripped from Server header, HSTS + Referrer-Policy headers added |
src/client.c | X-Frame-Options on 401 responses, realm version stripped |
src/admin.c | Admin-over-HTTP block (403 on non-SSL connections) |
src/ssl_gen.c | Buffer overflow fix (bounded writes), secure file permissions (0600), random X.509 serial |
src/format_ebml.c | NULL allocation checks on all calloc returns |
src/global.c | Integer truncation fix (size_t), calloc NULL checks on both paths |
src/xslt.c | alloca replaced with bounded malloc + length cap (8192) |
src/source.c | execvp args NULL-termination, malloc failure handling |
src/auth_htpasswd.c | TOCTOU race fix (O_CREAT|O_EXCL atomic create) |
src/main.c | Debug traces guarded behind _DEBUG |
src/cfgfile.c | Default server_id stripped of version, debug traces guarded |
src/cfgfile_yaml.c | Debug traces guarded behind _DEBUG |
VERSION | Bumped to 2.5.3-sec |
mcaster1-production.yaml | Permissions changed from 0644 to 0640 |
Remaining Items (Future Work)
- MD5 password hashing in htpasswd auth — migrate to bcrypt/SHA-512 (requires format change)
- TLS cipher suite hardening — restrict to PFS-only suites via config
- Authentication rate limiting / IP ban on repeated failures
- Strip admin email and build timestamp from public
/status-json.xsl verify_path()enhancement withrealpath()resolution- Slowloris timeout protection for incomplete HTTP requests
- Credentials-in-query-params deprecation for htpasswd auth