PHP Servers running with register_globals On and using mp3SDS v3.0 are vulnerable to file inclusion risks. If someone is able to create PHP files in the appropriate structure on your server, they can have the web server run the PHP contents. See OSVDB for more information.

Quick Fix for mp3SDS 3.0 Core/core.inc.php File Inclusion exploit:
(place the lines between the <snip> tag into the top of core.inc.php):

---- <snip> -----
if($HTTP_HOST == '') $HTTP_HOST=$_SERVER['HTTP_HOST'];
if($PHP_SELF == '') $PHP_SELF=$_SERVER['PHP_SELF'];
if(strpos(strtolower($PHP_SELF),'core.inc.php')!==false) { die('Denied'); }
---- <snip> -----

Other options are to apply the official patch , or to upgrade mp3SDS to version 3.1, released today.

Update: stripos() is PHP5 only. Above snippet updated to use strpos and strtolower.

This version of mp3SDS has been a long time in coming. It features Ogg-Vorbis streaming downsampled support, regular expression searching, jscrip folder browser, shuffling/random playlists based on tree location and javascript-free PDA support. (People have streamed from palm Treos and other handheld computing devices using mp3SDS.) Additionally, documentation and style have been tweaked. There are now tar download options, altavista image art lookup, and display theming options. Enjoy!

The download link is in the right column.

This release adds a new search feature, icons, bugfixes, major file layout cleanups, more display configuration options, support for defining themes, and on-the-fly tarball generation for directories. Note that as this is a prerelease, some functionality that is intended to be in the final release will not be present, such as controls to enable or disable the tarball generation.

This release features powerful and accessible user customization via a preferences window. It will scan directories for album art to display, as can be seen in the screenshot. It utilizes getID3, which comes packaged and configured to work with mp3SDS out of box. Many internal enhancements and security bounds checks have been added. With all changes, careful attention has been paid to make sure that it feels just as fast as it did in previous releases, even with the great amount of new features.

mp3SDS has merged with mp3SL. The new interface is much improved, and provides instant access to both dynamically downsampled and full quality m3u playlists. mp3SDS now has one-click playing: when you click the song title, your browser is sent an m3u file for just that song. If an MP3 player is associated with m3u files, the clicked song will begin playing immediately. Configuration for mp3SDS has been consolidated: all options are located in a single file. There are now multiple options for launching LAME, including one which nices the process for computers with slower processors.

This release of supports generating m3u playlists for a folder of MP3s instead of playing them one-by-one. Playlists show the file name, with eventual plans to pass ID3 information as well. It has been modified to work with newer PHP versions where register_globals is off by default. It still supports servers with register globals on. The streaming code has been updated to use a dynamically sized buffer of bitrate * 1024 + 1024 instead of a hardcoded 128K.

mp3SDS has been updated to send data in 128KB chunks instead of 1KB chunks; the smaller chunks were causing most people to receive choppy audio streams. The interface now shows less text, freeing more screenspace for listing, and includes a previous directory link, by popular request. The code has been cleaned, to be more concise.

This was on freshmeat, but the link was unavailable for an extended period of time.