Mac OS X Server 10.1: Security Vulnerability With QuickTime Streaming Server Web Admin

To avoid this vulnerability, you should disable the QTSS web-based admin.

If you are not actively administrating QTSS via the web-based admin, disabling it should not be an issue for you. But if you are actively using the web-based admin, you will need to use one of these two alternatives:

1. Disable the web-based admin, and directly edit the QTSS configuration files instead, or

2. Limit who is capable of connecting to the web-based admin.

The following sections explain how to use either of these alternatives.


How to disable QTSS web-based admin

1. At the server, open Terminal (/Applications/Utilites/).
2. Type: su root
3. Press Return.
4. Enter your "Admin" account password when prompted, and press Return.

Note: The password you need to enter is not the QTSS administrator password. You must be logged into the server as an administrator (designated "Admin" in the Accounts preference pane), and you use the password for that user account.

5. Type: sed s/QTSSERVER=-YES-/QTSSERVER=-NO-/ /etc/hostconfig > /etc/hostconfig.tmp
6. Press Return.
7. Type: mv /etc/hostconfig.tmp /etc/hostconfig
8. Press Return.
9. Quit Terminal.
10. Restart the server.

How to limit QTSS web-based admin access

1. Open this file in a text editor:

/Library/QuickTimeStreaming/Config/streamingadminserver.conf

Note: If the file is not there, create a new one. This file only contains information that differs from default settings, so it is OK if the file contains only the line that you will choose in the next step -- you do not need any additional information. If you need help opening and editing the file, see technical document 106619, "Mac OS X Server: How to Locate and Edit Configuration Files".

2. Place one of the following lines in the streamingadminserver.conf text file, substituting a valid DNS value for either "server_hostname" or "your_domain_name".

To limit access to only web browsers running locally at the server, use this line:

allow=127.0.0.1 server_hostname

To limit access to web browsers within your domain, use this line:

allow=127.0.0.1 *.your_domain_name.com