4th Mar 2002 [SBWID-5160]
COMMAND
RealPlayer built-in web server discloses system files
SYSTEMS AFFECTED
RealPlayer 6.0.7, others ?
PROBLEM
§ome1 posted :
open RealPlayer, go to --> File ---> Open File.. ---> Select any real
media file.. ex: c:\\music\\file.ram Play the file.
Now go to ---> View ---> Clip Source
realplayer will open the url
http://127.0.0.1:1275/template.html?src=file://C:/music/file.ram
from now realplay.exe will listen on port 1275 TCP
as you can see, real player have a (Mini WebServer) that listen on port
1275
I only tested the ../../ bug
GET http://127.0.0.1:1275/../../../../../boot.ini
Result: my boot.ini
SOLUTION
Upgrade ??
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
