ID
VAR-200303-0100
CVE
CVE-2003-0053
TITLE
Apple QuickTime/Darwin Streaming Server Parse_XML.CGI Cross-Site Scripting Vulnerability
Trust: 0.9
DESCRIPTION
Cross-site scripting (XSS) vulnerability in parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to insert arbitrary script via the filename parameter, which is inserted into an error message. When an invalid filename is specified from this page, it is output to an error page without sufficient sanitization of HTML and script code. This may permit cross-site scripting attacks to occur if an attacker constructs a malicious link to the page and can entice web users to visit it. Apple Darwin and QuickTime stream management server is a WEB-based service that allows administrators to manage Darwin and QuickTime stream servers. By default, these services listen to port 1220/TCP with ROOT privileges. The parse_xml.cgi of the Darwin/QuickTime streaming server does not sufficiently filter the non-existing file name parameters. If an attacker passes a non-existent file name parameter to the parse_xml.cgi script, the script will generate an error message and record it. If the parameter provided by the attacker contains malicious script code, the administrator can use the Script code is executed on the browser
Trust: 1.26
AFFECTED PRODUCTS
| vendor: | apple | model: | darwin streaming server | scope: | eq | version: | 4.1.2 | Trust: 1.9 |
| vendor: | apple | model: | quicktime streaming server | scope: | eq | version: | 4.1.1 | Trust: 1.6 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | NVD-CWE-Other | Trust: 1.0 |
THREAT TYPE
remote
Trust: 0.6
TYPE
input validation
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2003-0053 | Trust: 2.0 |
| db: | BID | id: | 6958 | Trust: 2.0 |
| db: | CNNVD | id: | CNNVD-200303-042 | Trust: 0.7 |
| db: | BUGTRAQ | id: | 20030224 QUICKTIME/DARWIN STREAMING ADMINISTRATION SERVER MULTIPLE VULNERABILITIES | Trust: 0.6 |
| db: | XF | id: | 11404 | Trust: 0.6 |
| db: | VULHUB | id: | VHN-6883 | Trust: 0.1 |
REFERENCES
| url: | http://www.securityfocus.com/bid/6958 | Trust: 1.7 |
| url: | http://lists.apple.com/archives/security-announce/2003/feb/25/applesa20030225macosx102.txt | Trust: 1.7 |
| url: | http://www.iss.net/security_center/static/11404.php | Trust: 1.7 |
| url: | http://marc.info/?l=bugtraq&m=104618904330226&w=2 | Trust: 1.1 |
| url: | http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2 | Trust: 0.6 |
| url: | http://www.info.apple.com/usen/security/security_updates.html | Trust: 0.3 |
| url: | - | Trust: 0.1 |
CREDITS
Dave G.※ daveg@atstake.com※Ollie Whitehouse※ ollie@atstake.com
Trust: 0.6
SOURCES
| db: | VULHUB | id: | VHN-6883 |
| db: | BID | id: | 6958 |
| db: | CNNVD | id: | CNNVD-200303-042 |
| db: | NVD | id: | CVE-2003-0053 |
LAST UPDATE DATE
2024-08-14T12:44:10.039000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-6883 | date: | 2016-10-18T00:00:00 |
| db: | BID | id: | 6958 | date: | 2015-03-19T09:11:00 |
| db: | CNNVD | id: | CNNVD-200303-042 | date: | 2005-05-13T00:00:00 |
| db: | NVD | id: | CVE-2003-0053 | date: | 2016-10-18T02:28:51.140 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-6883 | date: | 2003-03-07T00:00:00 |
| db: | BID | id: | 6958 | date: | 2003-02-24T00:00:00 |
| db: | CNNVD | id: | CNNVD-200303-042 | date: | 2003-02-24T00:00:00 |
| db: | NVD | id: | CVE-2003-0053 | date: | 2003-03-07T05:00:00 |