Vulnerability Note VU#583020
XMMS Remote input validation error
There is an input validation error in the stand-alone SOAP server XMMS Remote which allows unauthorized remote command execution.
XMMS Remote is a stand-alone XML/SOAP HTTP server implemented in PERL created by X2 Studios. It is used to monitor a running xmms media player client, typically on Mac OS X systems, but it appears to be easily ported to multiple platforms. (xmms, the X Multimedia System, is an audio player for X) The PERL module XMMS.pm contains an input validation error which allows arbitrary commands received from a network port (8086/tcp by default) to be executed in the command shell running the service.
In XMMS.pm, calls to the PERL function system()were passed in unfiltered:
Unauthorized remote command execution with the privileges of the XMMS Remote service (note: not typically a privileged account).
Update to a non-vulnerable version of XMMS.pm (created after May 07, 2003 - 1:40PM PST):
Block external access to the XML/SOAP service being offered by XMMS Remote, port 8086/tcp by default.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|X2 Studios||Affected||-||14 May 2003|
CVSS Metrics (Learn More)
Credit to Chris Dolan for reporting this vulnerability to X2 Studios.
This document was written by Jeffrey S. Havrilla
- CVE IDs: Unknown
- Date Public: 07 May 2003
- Date First Published: 14 May 2003
- Date Last Updated: 15 May 2003
- Severity Metric: 1.62
- Document Revision: 11
If you have feedback, comments, or additional information about this vulnerability, please send us email.