February 26th, 2003, 04:59 PM
Flaws Found in Apple Streaming Servers
Full story Here
There are several security vulnerabilities in recent versions of Apple Computer Inc.'s popular QuickTime Streaming Server and Darwin Streaming Server that give attackers the ability to execute code on remote machines.
The flaws affect version 4.1.2 of the Darwin server and 4.1.1 of the QuickTime server. Apple, based in Cupertino, Calif., has released updated versions of both servers that fix the problems.
QuickTime Streaming Server and Darwin Streaming Server are enterprise-class servers designed to deliver thousands of simultaneous streams.
Of the six vulnerabilities found by researchers at @Stake Inc., in Cambridge, Mass., the most serious is a condition in the CGI application used to authenticate and interface with users that allows an attacker to pass unvalidated input to the open() function on the streaming server. By inserting a specific character in the command, the attacker can bypass a file existence check designed to protect against such operations