Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: web5160.htm

RealPlayer built-in web server discloses system files



4th Mar 2002 [SBWID-5160]
COMMAND

	RealPlayer built-in web server discloses system files

SYSTEMS AFFECTED

	RealPlayer 6.0.7, others ?

PROBLEM

	žome1 posted :
	

	open RealPlayer, go to --> File ---> Open File.. --->  Select  any  real
	media file.. ex: c:\\music\\file.ram Play the file.
	

	Now go to ---> View ---> Clip Source
	

	realplayer will open the url
	

	http://127.0.0.1:1275/template.html?src=file://C:/music/file.ram

	

	from now realplay.exe will listen on port 1275 TCP
	

	as you can see, real player have a (Mini WebServer) that listen on  port
	1275
	

	I only tested the ../../ bug
	

	GET http://127.0.0.1:1275/../../../../../boot.ini

	

	Result: my boot.ini

SOLUTION

	Upgrade ??


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH