3/5/03
CAN 2003-0050
Insufficient parameter checking in the parse_xml.cgi application
on the web administration interface could allow command execution with
root privileges. However, in newer versions the impact
of command execution is limited because there is no way
to pass command-line arguments, unless the attacker is
able to upload programs to the server.
CAN 2003-0051
CAN 2003-0052
CAN 2003-0053
Additional vulnerabilities in parse_xml.cgi could allow a cross-site
scripting attack which could disclose the administrator's
Base64-encoded username and password within the
qtpassword cookie. Arbitrary directory listings and
disclosure of the physical path name are also possible. Darwin Streaming
Server 4.1.2 and earlier and QuickTime Streaming Server
4.1.1 and earlier are affected.
3/5/03
CAN 2003-0054
A cross-site scripting vulnerability exists because it
is possible for a remote attacker to cause lines of script
to be written to the log file. The script would
then execute in the administrator's web browser when
the administrator views the logs.
Darwin 4.1.2 and QuickTime 4.1.1 and earlier are affected.
3/5/03
CAN 2003-0055
A buffer overflow in the MP3 Broadcasting Module occurs
when processing an MP3 file whose name is over 256
characters long. This could allow a local user to
execute commands with root privileges. It could also
allow command execution by a remote user who is able to
upload MP3 files. Darwin 4.1.2 and QuickTime 4.1.1 and
earlier are affected.