X2 Studios Information for VU#583020

XMMS Remote input validation error

Status

Affected

Vendor Statement

Please see Security Alert: Update XMMS Remote Server

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

[Begin excerpt of "Security Alert: Update XMMS Remote Server", 05/14/2003 22:36:16 UTC]

<http://www.x2studios.com/index.php?page=kb&id=16>

Article: 16, Security Alert: Update XMMS Remote Server
Date: May 07, 2003 - 1:40PM

Topic:

This applies to inital release of XMMS Remote server script. Thanks to a MacSlash reader (Chris Dolan) a security hole that was unintentionally left in the XMMS.pm (part of the server scripts) was discovered.

Discussion:

The security hole had to do with the script not evaluating input that it was issuing using system() {BAD PROGRAMMING ALERT}. There was a corrected version that included a regular expression, that made sure that the command was safe to run. However, this version was not initally uploaded. The unsafe version had been on the server between the hours of 4am PST and 11am PST on May 7, 2003. It is recomended to all users who downloaded the script durring this time to IMMEDITALLY remove it and download the new version. The new script is avaliable on the product page.

[End excerpt of "Security Alert: Update XMMS Remote Server", 05/14/2003 22:36:16 UTC]

If you have feedback, comments, or additional information about this vulnerability, please send us email.