Re: RealServer exposes internal IP addresses

[monwel () INTERHACK NET (Doug Monroe)]

tschweikle () FIDUCIA DE wrote:
> RealServer exposes internal IP addresses if requested to
> deliver real media files:
> 62.158.114.150 -> 192.168.13.33 HTTP
>   GET /ramgen/extern/genoverb/weinkauf.rm HTTP/1.0
> 192.168.13.33 -> 62.158.114.150 HTTP
>   (proxy) R port=1210
> 192.168.13.33 -> 62.158.114.150 HTTP
>   HTTP/1.0 200 OK
> 192.168.13.33 -> 62.158.114.150 HTTP
>   rtsp://192.168.13.33:554/extern/genoverb/weinkauf.rm
> The Server is located inside a DMZ. Network-Address
> translation is in effect from internet as is from campus.
> In my opinion this may be usedfull for an intruder, and
> RealNetworks should fix this. I've informed them about
> 6 weeks ago, calling them again four weeks later, then
> 14 days ago, but no reaction on there side until now.

FWIW - some time ago (Sept.99) I addressed this issue with Real. I sent them
a similar bit of info:
> $ GET http://realg2.example.com:8080/ramgen/foo.rm
> reveals-
> rtsp://192.168.11.12:554/foo.rm
> --stop--
> pnm://192.168.11.12:7070/foo.rm
> server info:
> WinNT Version 6.0.3.303

I got this reply:
> > 1. Add the following line to the end of your rmserver.cfg:
> > <Var HostName="IP-or-HostName"/>
> > 2. In the URL add the text "?usehostname"
> > so that your URL will look like:
> > http://demos.real.com:8080/ramgen/g2video.rm?usehostname
> > The variable <Var HostName="IP-or-HostName"/>  is only supported in
> > the RealServer 6.1 Beta version.

I don't have any idea what version they're up to currently or if any of
this indeed works...
I lost interest myself.

--
Doug Monroe