Granted that it listens to localhost only, it could still be a huge problem depending on the configuration of the server. For example the server could running a proxy and at the same time have realplayer on. Therefore an attacker would connect to the Proxy and bounce from there to http://127.0.0.1:1275/template.html?src=file://C:/boot.ini I do not run realplayer at the moment so this is all hypothetical. ------------------------------------ Obscure - http://eyeonsecurity.net ------------------------------------ ----- Original Message ----- From: "Michiel Heijkoop" <myself@mhil.net> To: <bugtraq@securityfocus.com> Sent: Sunday, March 03, 2002 10:17 PM Subject: Re: RealPlayer bug > Hey, > > On Sat, Mar 02, 2002 at 09:16:53PM +0300, §ome1 wrote: > > http://127.0.0.1:1275/template.html?src=file://C:/music/file.ram > > from now realplay.exe will listen on port 1275 TCP > As the URL indicates, it's well possible that the webserver only listens to 127.0.0.1, which wouldn't make it a large security risk, unless its ran on an NT-machine under an admin-account and accessed by a regular user, which could then have read-access to files, he/she shouldn't have it to. Perhaps someone with Realplayer installed can check wether this miniserver is binding to all interfaces, or just the loopback? >
