Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Apple QuickTime Server < 4.1.3 Multiple Vulnerabilities (deprecated)

Medium

Synopsis

The remote host is vulnerable to multiple attack vectors.

Description

The remote host is running the Apple Quicktime Streaming Server. This version is vulnerable to an information disclosure bug. Specifically, the parse_xml.cgi script can be coerced into giving away local system information (path, file name, and more). Such information can aid an attacker in more sophisticated attacks. A second flaw would allow an attacker the ability to run arbitrary code on the remote server. Specifically, malformed requests are not properly parsed prior to being logged. When the logs were viewed by a local user, code could be executed with the permissions of the user reading the logs (typically an administrator). The remote server is also reported prone to a remote Cross-Site Scripting (XSS) flaw. An attacker exploiting this flaw would need to be able to convince a user to browse to a malicious URI. Successful exploitation would result in the theft of confidential data (cookies, authentication materials, and more).

Solution

Upgrade to version 4.1.3 or higher.