RealOne Player SMIL文件脚本执行变化漏洞

漏洞信息详情

RealOne Player SMIL文件脚本执行变化漏洞

• CNNVD编号：CNNVD-200412-909
• 危害等级： 中危
  
  
• CVE编号：
  CVE-2004-1798
  
• 漏洞类型：
  
  
  输入验证
  
• 发布时间：
  
  2004-12-31
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2006-01-05
  
• 厂        商：
  
  realnetworks
• 漏洞来源：
  Discovery is credi…

RealOne player 6.0.11.868版本存在漏洞。远程攻击者可以借助带有\”file：javascript：\” URL的Synchronized Multimedia Integration Language (SMIL)描述在\”My Computer\”区域中执行任意脚本，该漏洞在之前载入的URL的安全上下文中被执行，该漏洞不同于CVE-2003-0726。

RealSecurity has released an advisory dealing with this issue. The following text, describing how to apply the patch to address the issue with the vulnerable software, has been taken verbatim from the advisory:
Windows Players:
RealOne Player, RealOne Player v2 (localized languages) and RealPlayer 10 Beta customers please use the following steps to update your Player:
1. In the Tools menu select Check for Update.
2. Select the box next to the “RealPlayer 10” (English) or “RealOne Player” (localized) component.
3. Click the Install button to download and install the update.
RealPlayer 8 (version 6.0.9.584):
1. Go to the Help menu.
2. Select “Check for Update”.
3. Select the box next to the “RealPlayer 10” (English) or “RealOne Player” (localized) component.
4. Click the Install button to download and install the update.

来源: BID
名称: 9378
链接:http://www.securityfocus.com/bid/9378

来源: OSVDB
名称: 3826
链接:http://www.osvdb.org/3826

来源: SECUNIA
名称: 9584
链接:http://secunia.com/advisories/9584

来源: XF
名称: realoneplayer-smil-xss(14168)
链接:http://xforce.iss.net/xforce/xfdb/14168

来源: BUGTRAQ
名称: 20040107 RealNetworks fails to address Cross-Site Scripting in RealOne Player
链接:http://www.securityfocus.com/archive/1/349086

来源: SECTRACK
名称: 1008647
链接:http://securitytracker.com/id?1008647