lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130430083744.GG19735@box.cz> Date: Tue, 30 Apr 2013 10:37:44 +0200 From: "Michal J." <wejn@....cz> To: bugtraq@...urityfocus.com Subject: WowzaMediaServer StorageDir escape (regression) Product: Wowza Media Server URL: http://www.wowza.com/ Description: WMS is a quite popular RTMP/HLS/HDS/RTSP streaming server Issue: In early 2009 I reported problem with processing of requests with relative paths. The issue surfaced again. In a nutshell, you can escape Applications StorageDir using relative path. Lets say you have two applications: * vod1 with /usr/local/WowzaMediaServer/content1/ as StorageDir * vod2 with /usr/local/WowzaMediaServer/content2/ as StorageDir Requesting to play `mp4:../content1/file.mp4` from `vod2` will work just fine thus bypassing configured StorageDir. Possible workarounds: * Implement custom module that supplies either `IMediaStreamNameAliasProvider2` or `IMediaStreamFileMapper` override which blocks requests falling outside configured `StorageDir` * Use StreamNameAlias module to block requests with relative paths * Upgrade to Wowza 3.5.2.06 (patch that hopefully fixes this issue) * Don't use predictable paths Timeline: * 2013-04-06 Wowza Media Services contacted about this issue * 2013-04-08 Wowza acknowledges this bug, no further info received * 2013-04-30 Public release due to vendor's non-cooperation M. -- Michal J. <wejn(at)box.cz> "I honestly think it is better to be a failure at something you love than to be a success at something you hate..." -- George Burns
Powered by blists - more mailing lists