[原文]parse_xml.cgi in Apple Darwin Streaming Server 4.1.1 allows remote attackers to determine the existence of arbitrary files by using ".." sequences in the filename parameter and comparing the resulting error messages.
Apple Darwin Streaming Server 4.1.1的parse_xml.cgi存在漏洞。远程攻击者可以通过在filename参数中使用“..”序列删存任意文件，并且可以对比产生的错误信息。
This issue has reportedly been fixed in version 4.1.3 of QuickTime/Darwin Streaming Server. This information has not been confirmed by the vendor. Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org .