Secure vulnerable StreamManager HTTP provider for Wowza server software

This document provides instructions to help you prevent third parties from exploiting your Wowza™ media server software through its StreamManager HTTP provider. Follow the instructions below to prevent a third-party from exploiting this vulnerability to subject your media server to cross-site scripting (XSS) attacks.

About the StreamManager HTTP provider

The StreamManager HTTP provider (com.wowza.wms.http.streammanager.HTTPStreamManager) works with the MediaCaster system in Wowza media server software to re-stream IP camera streams (RTSP/RTP streams), SHOUTcast/Icecast streams, and native RTP encoders.

Affected Wowza server software versions

Update StreamManager HTTP provider authentication method

By default, access to the Stream Manager is controlled by a challenge/response digest authentication system to authenticate users (credentials are never sent in clear text). Turning off this default authentication method could make the Stream Manager potentially vulnerable to cross-site scripting (XSS) attacks.

To help prevent an XSS attack on your media server, verify that digest authentication for Stream Manager is NOT turned off. To do this, open the [install-dir]/conf/VHost.xml file in your Wowza media server installation in a text editor and verify that the AuthenticationMethod property for the StreamManager HTTP provider is set to admin-digest (the default value).


If the AuthenticationMethod property is set to something other than the default value, change the value to admin-digest, and then restart your media server software to apply the change. For more information, see How to start and stop Wowza Streaming Engine software.

Note: For more information on how to authenticate HTTP Providers, see HTTP Providers in 'How to use server-side modules and HTTP Providers'.

More information

Wowza Media Server Software Critical Update Webpage