Re: RealPlayer bug

[bugtraq42 () myrealbox com]

On Sun, Mar 03, 2002 at 10:17:10PM +0100, Michiel Heijkoop wrote:
> Hey,
>
> On Sat, Mar 02, 2002 at 09:16:53PM +0300, §ome1 wrote:
> > http://127.0.0.1:1275/template.html?src=file://C:/music/file.ram
> > from now realplay.exe will listen on port 1275 TCP
> As the URL indicates, it's well possible that the webserver only listens to 127.0.0.1, which wouldn't make it a large 
> security risk, unless its ran on an NT-machine under an admin-account and accessed by a regular user, which could 
> then have read-access to files, he/she shouldn't have it to. Perhaps someone with Realplayer installed can check 
> wether this miniserver is binding to all interfaces, or just the loopback?

Not just NT, this bug is present on the linux version as well
(8.0-1).  A quick check with this version reveals that it listens ONLY
on the loopback (127.0.0.1) interface.  Still, this could be a serious
risk to multi-user systems.