Rapid7 issues QuickTime/Darwin Streaming Server Security Advisory; some flaws remain

Rapid7 Inc. claims that version 4.1.3 of the QuickTime/Darwin Streaming Server exhibits several security flaws that could result in denial of service attacks, and other intrusions. A patched release is available, but not all security pitfalls have been adressed

Among the flaws found:

• Requesting a DOS device name (e.g. AUX) over HTTP (port 1220) will cause a denial of service on the server. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced.
• Requesting the /view_broadcast.cgi script over HTTP (port 1220) will cause a denial of service on the server if the required request parameters are not sent. The connection will be closed midway through servicing the request and no new connections will be allowed to the server.

You can avoid these security holes by upgrading to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/

But other flaws, including one where the source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view, have not been fixed in version 4.1.3g. Rapid7 states in its alert "Apple is aware of this issue and they are investigating it further. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected."

Feedback? Late-breakers@macfixit.com.

Resources