[24526] in bugtraq
Re: RealPlayer bug
daemon@ATHENA.MIT.EDU (Michiel Heijkoop)
Mon Mar 4 18:05:11 2002
Date: Sun, 3 Mar 2002 22:17:10 +0100
From: Michiel Heijkoop <myself@mhil.net>
To: bugtraq@securityfocus.com
Message-ID: <20020303221710.A11329@mhil.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <007d01c1c216$704b59e0$74b1b5d5@sys0p>; from exe@FlashMail.com on Sat, Mar 02, 2002 at 09:16:53PM +0300
Hey,
On Sat, Mar 02, 2002 at 09:16:53PM +0300, §ome1 wrote:
> http://127.0.0.1:1275/template.html?src=file://C:/music/file.ram
> from now realplay.exe will listen on port 1275 TCP
As the URL indicates, it's well possible that the webserver only listens to 127.0.0.1, which wouldn't make it a large security risk, unless its ran on an NT-machine under an admin-account and accessed by a regular user, which could then have read-access to files, he/she shouldn't have it to. Perhaps someone with Realplayer installed can check wether this miniserver is binding to all interfaces, or just the loopback?
