Vulnerability Note VU#460350
Apple Quicktime/Darwin Streaming Server fails to properly parse DESCRIBE requests
Apple Quicktime/Darwin Streaming Server fails to properly parse DESCRIBE requests containing overly large User-Agent fields. This could allow an unauthenticated, remote attacker to cause a denial-of-service condition.
Apple's QuickTime and Darwin Streaming Server is software which provides integrated distribution of various forms of digital content. Such content can be delivered over a network using Real-Time Transport Protocol (RTP) and Real-Time Streaming Protocol (RTSP).
The RTSP provides a DESCRIBE method which according to RFC 2326 "retrieves the description of a presentation or media object identified by the request URL from a server. It may use the Accept header to specify the description formats that the client understands. The server responds with a description of the requested resource. The DESCRIBE reply-response pair constitutes the media initialization phase of RTSP."
An unauthenticated, remote attacker could prevent legitimate users from accessing the streamed content.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer Inc.||Affected||-||25 Feb 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by iDefense.
This document was written by Damon Morda.
- CVE IDs: CAN-2004-0169
- Date Public: 24 Feb 2004
- Date First Published: 25 Feb 2004
- Date Last Updated: 15 Mar 2004
- Severity Metric: 1.68
- Document Revision: 12
If you have feedback, comments, or additional information about this vulnerability, please send us email.