WowzaMediaServer StorageDir Constraint Bypass

2013-04-30T00:00:00
ID PACKETSTORM:121466
Type packetstorm
Reporter Michal J.
Modified 2013-04-30T00:00:00

Description

                                        
                                            `Product: Wowza Media Server  
URL: http://www.wowza.com/  
Description: WMS is a quite popular RTMP/HLS/HDS/RTSP streaming server  
  
Issue:  
  
In early 2009 I reported problem with processing of requests with  
relative paths.  
  
The issue surfaced again.  
  
In a nutshell, you can escape Applications StorageDir using relative  
path.  
  
Lets say you have two applications:  
  
* vod1 with /usr/local/WowzaMediaServer/content1/ as StorageDir  
* vod2 with /usr/local/WowzaMediaServer/content2/ as StorageDir  
  
Requesting to play `mp4:../content1/file.mp4` from `vod2` will work  
just fine thus bypassing configured StorageDir.  
  
Possible workarounds:  
  
* Implement custom module that supplies either  
`IMediaStreamNameAliasProvider2` or `IMediaStreamFileMapper` override  
which blocks requests falling outside configured `StorageDir`  
* Use StreamNameAlias module to block requests with relative paths  
* Upgrade to Wowza 3.5.2.06 (patch that hopefully fixes this issue)  
* Don't use predictable paths  
  
Timeline:  
  
* 2013-04-06 Wowza Media Services contacted about this issue  
* 2013-04-08 Wowza acknowledges this bug, no further info received  
* 2013-04-30 Public release due to vendor's non-cooperation  
  
M.  
--  
Michal J. <wejn(at)box.cz>  
"I honestly think it is better to be a failure at something you love  
than to be a success at something you hate..." -- George Burns  
`