Return-Path: owner-bugtraq@SECURITYFOCUS.COM
X-Sender: ryan@mail
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.GSO.4.21.0006011657080.26170-100000@mail>
Date:         Thu, 1 Jun 2000 17:02:46 -0700
Reply-To: Ryan Russell <ryan@SECURITYFOCUS.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Ryan Russell <ryan@SECURITYFOCUS.COM>
Subject:      Re: Remote DoS attack in Real Networks Real Server (Strike #2)
              vulnerability
X-To:         bugtraq@securityfocus.com
X-cc:         labs@ussrback.com
To: BUGTRAQ@SECURITYFOCUS.COM

I believe I have a temporary workaround.

In the rmserver.cfg file, there's a section like this:

<!-- H T T P S U P P O R T --> <List Name="HTTPDeliverable">
    <Var Path_0="/admin"/>
    <Var Path_1="/ramgen"/>
    <Var Path_2="/farm"/>
    <Var Path_3="/httpfs"/>
    <Var Path_4="/viewsource"/>
</List>

On my Real server, I've removed this line:
<Var Path_4="/viewsource"/>

I *think* this only has the consequence that people can't pull down file
details for audio content for the moment.  We can still serve up audio
just fine.

				Ryan