Potential Server/Proxy Denial-of-Service Vulnerability
Issued January 12, 2004
Helix Universal Server/Proxy 9 contains a potential denial-of-service exploit when certain types of HTTP POST messages are sent to the server's Administration System port. Helix Mobile Server 10 is vulnerable to a similar type of attack. Note that these attacks require administrator login access to the server.
Impacted Products and Versions:
Helix Universal Mobile Server & Gateway 10, versions 10.1.1.120 and prior
Helix Universal Server & Gateway 9, version 9.0.2.881 and priorRealSystem Server and Proxy versions 8.x and earlier are not impacted by this vulnerability.
Solution:
The vulnerability is closed by replacement of the RealNetworks Administration System plug-in in the /Plugins directory.
Helix Universal Server and Proxy (9.0.x)
Windows admi3260.dll Solaris 2.8 adminfs.so Solaris 2.7 adminfs.so Linux adminfs.so IBM/AIX adminfs.so HP UX adminfs.so CompaqTru64 adminfs.so FreeBSD adminfs.so Helix Universal Mobile Server and Proxy (10.0.x)
Solaris 2.8 adminfs.so Linux adminfs.so To replace the Administration System plug-in, click on a file above to download an updated version. After downloading the appropriate file, replace the current admin plug-in in the /Plugins folder and restart the server or proxy.
Acknowledgment:
RealNetworks thanks Matt Moore from Pentest Limited for reporting this vulnerability.
Warranty:
While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.