Customer Support
International Downloads Documentation Real.com RealNetworks.com

Potential Server/Proxy Denial-of-Service Vulnerability

Issued January 12, 2004

Helix Universal Server/Proxy 9 contains a potential denial-of-service exploit when certain types of HTTP POST messages are sent to the server's Administration System port. Helix Mobile Server 10 is vulnerable to a similar type of attack. Note that these attacks require administrator login access to the server.

Impacted Products and Versions:

Helix Universal Mobile Server & Gateway 10, versions 10.1.1.120 and prior
Helix Universal Server & Gateway 9, version 9.0.2.881 and prior

RealSystem Server and Proxy versions 8.x and earlier are not impacted by this vulnerability.

Solution:

The vulnerability is closed by replacement of the RealNetworks Administration System plug-in in the /Plugins directory.

Helix Universal Server and Proxy (9.0.x)

Windows admi3260.dll
Solaris 2.8 adminfs.so
Solaris 2.7 adminfs.so
Linux adminfs.so
IBM/AIX adminfs.so
HP UX adminfs.so
CompaqTru64 adminfs.so
FreeBSD adminfs.so

Helix Universal Mobile Server and Proxy (10.0.x)

Solaris 2.8 adminfs.so
Linux adminfs.so

To replace the Administration System plug-in, click on a file above to download an updated version. After downloading the appropriate file, replace the current admin plug-in in the /Plugins folder and restart the server or proxy.

Acknowledgment:

RealNetworks thanks Matt Moore from Pentest Limited for reporting this vulnerability.

Warranty:

While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.