Re: Remote DoS attack in Real Networks Real Server (Strike #2) vulnerability

[christopher () SCHULTE ORG (Christopher Schulte)]

Confirmed fixed, Ryan, on both the 7 and 8 series of realserver.

It should be noted that the 6.x series does not have the 'viewsource'
variable available, so it's undoubtedly unaffected.  When I pull up the DoS
url on a 6 server, I get a 404.  Just like what happens when I comment out
the VAR in the 7 and 8 cfg files.

Looks like just 7 and 8 are affected.

Thanks for this fix........

At 05:02 PM 6/1/00 -0700, Ryan Russell wrote:
> I believe I have a temporary workaround.
>
> In the rmserver.cfg file, there's a section like this:
>
> <!-- H T T P S U P P O R T --> <List Name="HTTPDeliverable">
>     <Var Path_0="/admin"/>
>     <Var Path_1="/ramgen"/>
>     <Var Path_2="/farm"/>
>     <Var Path_3="/httpfs"/>
>     <Var Path_4="/viewsource"/>
> </List>
>
> On my Real server, I've removed this line:
> <Var Path_4="/viewsource"/>
>
> I *think* this only has the consequence that people can't pull down file
> details for audio content for the moment.  We can still serve up audio
> just fine.
>
>                                 Ryan


--
Christopher Schulte | christopher () schulte org
cell:612.986.4859   | home:651.225.4557 | fax: 651.315.3339
page:612.264.1115   | free:877.271.9245 | site: schulte.org

COMING SOON http://SchulteConsulting.COM/
reliable computer consulting at a fair price.