Vulnerabilities > CVE-2003-0051 - Remote Path Disclosure vulnerability in Apple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
apple
nessus

Summary

parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to obtain the physical path of the server's installation path via a NULL file parameter.

Vulnerable Configurations

Part Description Count
Application
Apple
2

Nessus

NASL familyCGI abuses
NASL idQUICKTIME_ADMIN.NASL
descriptionThe remote host is running Apple QuickTime Streaming Server. There are multiple flaws in this version : * Remote code execution vulnerability (by default with root privileges) * 2 Cross-Site Scripting vulnerabilities * Path Disclosure vulnerability * Arbitrary Directory listing vulnerability * Buffer overflow in MP3 broadcasting module
last seen2020-06-01
modified2020-06-02
plugin id11278
published2003-02-28
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11278
titleApple QuickTime/Darwin Streaming Server Multiple Remote Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

# Original plugin was written by Michael Scheidell
#
# http://web.archive.org/web/20050406013934/http://www.atstake.com/research/advisories/2003/a022403-1.txt


include("compat.inc");

if(description)
{
 script_id(11278);
 script_version("1.36");

 script_cve_id("CVE-2003-0050", "CVE-2003-0051", "CVE-2003-0052", "CVE-2003-0053",
               "CVE-2003-0054", "CVE-2003-0055", "CVE-2003-1414");
 script_bugtraq_id(6954, 6955, 6956, 6957, 6958, 6960, 6990);
 
 script_name(english:"Apple QuickTime/Darwin Streaming Server Multiple Remote Vulnerabilities");

 script_set_attribute(attribute:"synopsis", value:
"The remote server is vulnerable to several flaws." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Apple QuickTime Streaming Server.

There are multiple flaws in this version :

* Remote code execution vulnerability (by default with root privileges)
* 2 Cross-Site Scripting vulnerabilities
* Path Disclosure vulnerability
* Arbitrary Directory listing vulnerability 
* Buffer overflow in MP3 broadcasting module" );
 script_set_attribute(attribute:"see_also", value:"http://www.atstake.com/research/advisories/2003/a022403-1.txt" );
 script_set_attribute(attribute:"solution", value:
"Install patches from Apple or disable access to this service." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"metasploit_name", value:'QuickTime Streaming Server parse_xml.cgi Remote Execution');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_cwe_id(22);
 script_set_attribute(attribute:"plugin_publication_date", value: "2003/02/28");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/02/23");
 script_cvs_date("Date: 2018/07/26 13:32:42");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:quicktime");
 script_end_attributes();
 
 script_summary(english:"Checks QuickTime/Darwin server for parse_xml.cgi");
 
 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");

 script_dependencie("find_service1.nasl", "http_version.nasl","no404.nasl");
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_ports("Services/www", 1220);
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


if ( thorough_tests )
{
 extra_list = make_list ("/AdminHTML");
}
else
  extra_list = NULL;

http_check_remote_code (
			default_port:1220,
			extra_dirs: extra_list,
			check_request:"/parse_xml.cgi?action=login&filename=frameset.html|id%00|",
			check_result:"uid=[0-9]+.*gid=[0-9]+.*",
			command:"id",
			xss: 1
			);