Results 1 to 2 of 2

Thread: issue with potential hole with my application

  1. #1

    Default issue with potential hole with my application

    We have had a java/actionscript programmer who did our coding but unfrotunately is on extended leave. We found some useful information in wowza to check things like this:

    http://[wowza-address]:8086/serverinfo
    http://[wowza-address]:8086/connectioncounts
    http://[wowza-address]:8086/connectioninfo

    What we found was in the REFERER section of the XML someone was coming in not using our .swf and in fact i have no idea what file they were using becuase the referer shows as UNKNOWN. My question
    is how that this be that we would not be able to detect the referrer?

    The bigger problem is that we had left the spot on allowdomains in applicaton.xml blank and were SUPPOSED to be controlling access (referrer had to be from our .swf) from our .jar file and application, at least that is what i thought.
    the .jar file application manages free vod and pay per minute and membership streaming. In the PPM section someone is connecting and if they know the name of the movie they just completely bypass our entire application. What is strange is even if the get past the referrer issue the system should be checking the username, allocating and deducting minutes, etc and it seems these guys just connected and bypassed everything. This could be a hole in our .jar code i guess. but still it seems like there is something else.

    So what we did was add our domain to the allowdomain part in the /conf/appname/application.xml file and that SEEMS to have worked. Now when they come in we see the connection in the logs and immeidately it gets rejected.
    So i was just wanting to know about the UNKNOWN referrer and also if there is anything documention wise about how we can check our application to see if we can find out how exatly thes guys seem to be bypassing out entire application. We hvae a java console that shows the command of what each user is doing and these guys do not show up in the console anywhere except for one weird message:
    INFO session connect-pending 1.1.1.1 -
    ERROR server comment - invoke(onConnect): java.lang.NumberFormatException: null: java.lang.Integer.parseInt(Integer.java:417)
    java.lang.NumberFormatException: null
    at java.lang.Integer.parseInt(Integer.java:417)
    at java.lang.Integer.<init>(Integer.java:660)
    at com.johncorp.videoplayer.VideoPlayer.onConnect(VideoPlayer.java:219)
    at sun.reflect.GeneratedMethodAccessor8.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.wowza.wms.module.ModuleFunction.invoke(Unknown Source)
    at com.wowza.wms.module.ModuleFunctions.invokeSpecial(Unknown Source)
    at com.wowza.wms.module.ModuleFunctions.onConnect(Unknown Source)
    at com.wowza.wms.module.ModuleConnect.connect(Unknown Source)
    at com.wowza.wms.request.RequestProcessFunctions.processFunctions(Unknown Source)
    at com.wowza.wms.request.RTMPRequestAdapter.service(Unknown Source)
    at com.wowza.wms.server.ServerHandler.serviceRequest(Unknown Source)
    at com.wowza.wms.server.ServerHandler.handleMessageReceived(Unknown Source)
    at com.wowza.wms.server.ServerHandler.messageReceived(Unknown Source)
    at com.wowza.wms.server.ServerHandlerThreadedSession.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:662)4:18 PM 4/6/2012

    and then they are allowed to play anything they want for as long as they want. I am wondering if there is something else about the config that is OPEN that is allowing them to bypass or connect in some other way?

  2. #2
    Join Date
    Dec 2007
    Posts
    22,013

    Default

    There is not always a referrer. If you open a swf file in a file explorer or from a web server directly without html, there is no referrer. Not sure, but if swf is open with javascript or anchor (a) tag into new window, there is not be a referrer.

    The error you show is from your custom module:
    com.johncorp.videoplayer.VideoPlayer.onConnect(VideoPlayer.java:219)
    Richard

Similar Threads

  1. Replies: 4
    Last Post: 08-05-2015, 03:44 PM
  2. Few questions for a potential VOD project
    By gtomas in forum Wowza Media Server 3 for Amazon EC2 Discussion
    Replies: 6
    Last Post: 04-17-2012, 12:54 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •