GNUMP3d Discloses Files on the Target System to Remote Users and Permits Cross-Site Scripting Attacks

2005.10.29

Credit: Steve Kemp

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2005-3122 | CVE-2005-3123

CWE: N/A

Debian reported:
 
Steve Kemp discovered two vulnerabilities in gnump3d, a streaming
server for MP3 and OGG files.  The Common Vulnerabilities and
Exposures Project identifies the following problems:
 
CVE-2005-3122
 
    The 404 error page does not strip malicious javascript content
    from the resulting page, which would be executed in the victims
    browser.
 
CVE-2005-3123
 
    By using specially crafting URLs it is possible to read arbitary
    files to which the user of the streaming server has access to.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

GNUMP3d Discloses Files on the Target System to Remote Users and Permits Cross-Site Scripting Attacks

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.