This document provides instructions to help you prevent third parties from exploiting your Wowza™ media server software through its StreamManager HTTP provider. Follow the instructions below to prevent a third-party from exploiting this vulnerability to subject your media server to cross-site scripting (XSS) attacks.
The StreamManager HTTP provider (com.wowza.wms.http.streammanager.HTTPStreamManager) works with the MediaCaster system in Wowza media server software to re-stream IP camera streams (RTSP/RTP streams), SHOUTcast/Icecast streams, and native RTP encoders.
By default, access to the Stream Manager is controlled by a challenge/response digest authentication system to authenticate users (credentials are never sent in clear text). Turning off this default authentication method could make the Stream Manager potentially vulnerable to cross-site scripting (XSS) attacks.
To help prevent an XSS attack on your media server, verify that digest authentication for Stream Manager is NOT turned off. To do this, open the [install-dir]/conf/VHost.xml file in your Wowza media server installation in a text editor and verify that the AuthenticationMethod property for the StreamManager HTTP provider is set to admin-digest (the default value).
<HTTPProvider> <BaseClass>com.wowza.wms.http.streammanager.HTTPStreamManager</BaseClass> <RequestFilters>streammanager*</RequestFilters> <AuthenticationMethod>admin-digest</AuthenticationMethod> </HTTPProvider>
If the AuthenticationMethod property is set to something other than the default value, change the value to admin-digest, and then restart your media server software to apply the change. For more information, see How to start and stop Wowza Streaming Engine software.
Note: For more information on how to authenticate HTTP Providers, see HTTP Providers in 'How to use server-side modules and HTTP Providers'.