lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20130430083041.GC19735@box.cz>
Date: Tue, 30 Apr 2013 10:30:41 +0200
From: "Michal J." <wejn@....cz>
To: full-disclosure@...ts.grok.org.uk
Subject: WowzaMediaServer StorageDir escape (regression)

Product: Wowza Media Server
URL: http://www.wowza.com/
Description: WMS is a quite popular RTMP/HLS/HDS/RTSP streaming server

Issue:

In early 2009 I reported problem with processing of requests with
relative paths.

The issue surfaced again.

In a nutshell, you can escape Applications StorageDir using relative
path.

Lets say you have two applications:

* vod1 with /usr/local/WowzaMediaServer/content1/ as StorageDir
* vod2 with /usr/local/WowzaMediaServer/content2/ as StorageDir

Requesting to play `mp4:../content1/file.mp4` from `vod2` will work
just fine thus bypassing configured StorageDir.

Possible workarounds:

* Implement custom module that supplies either
  `IMediaStreamNameAliasProvider2` or `IMediaStreamFileMapper` override
  which blocks requests falling outside configured `StorageDir`
* Use StreamNameAlias module to block requests with relative paths
* Upgrade to Wowza 3.5.2.06 (patch that hopefully fixes this issue)
* Don't use predictable paths

Timeline:

* 2013-04-06 Wowza Media Services contacted about this issue
* 2013-04-08 Wowza acknowledges this bug, no further info received
* 2013-04-30 Public release due to vendor's non-cooperation

M.
-- 
Michal J. <wejn(at)box.cz>
"I honestly think it is better to be a failure at something you love
than to be a success at something you hate..." -- George Burns

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ