Results 1 to 5 of 5

Thread: Is Wowza affected by Shellshock / Does Wowza read/write ENV variables ?

  1. #1
    Join Date
    Nov 2012
    Posts
    5

    Default Is Wowza affected by Shellshock / Does Wowza read/write ENV variables ?

    Question says it all. Cannot find anything on google or on forums regarding this or past versions of Wowza.

    I highly doubt it is vulnerable (writing malicious ENV based on URL input) but it's not impossible. Would love to have official feedback on this. Thank you!

  2. #2

    Default

    Hi,

    Wowza does set some environment variables when running under Linux when starting , so

    _EXECJAVA=java
    WMSAPP_HOME=/usr/local/WowzaStreamingEngine
    WMSCONFIG_HOME=/usr/local/WowzaStreamingEngine
    WMSCONFIG_URL=

    export WMSAPP_HOME WMSCONFIG_HOME JAVA_OPTS _EXECJAVA

    but once running it is not possible by default to write system variables by URL input.

    Andrew.

  3. #3
    Join Date
    Dec 2014
    Posts
    1

    Default

    Quote Originally Posted by andrew_k View Post
    Hi,

    Wowza does set some environment variables when running under Linux when starting , so

    _EXECJAVA=java
    WMSAPP_HOME=/usr/local/WowzaStreamingEngine
    WMSCONFIG_HOME=/usr/local/WowzaStreamingEngine
    WMSCONFIG_URL=

    export WMSAPP_HOME WMSCONFIG_HOME JAVA_OPTS _EXECJAVA

    but once running it is not possible by default to write system variables by URL input.

    Andrew.
    this answer is rather troubling in my opinion, as it really only addresses half of the issue, but anyone running it on *nix should already know the env vars it sets.

    what about tampering with user agents? or through POST requests? the way wowza operates (to my somewhat limited knowledge) would seem to imply a specially crafted POST request could be an issue.

    has this been tested at all by the wowza team, or am I better off finding out on my own?

  4. #4

    Default

    I have tested some scenarios however as with all security options testing yourself/within your own security framework should be done to ensure it meets your set level of acceptance. We would of course be keen to hear your results.

    It it important to note that the vulnerability is within shell and has been identified as the area which needs resolving.

    Andrew
    Last edited by andrew_k; 12-25-2014 at 02:52 PM.

  5. #5

    Default

    It is not affected.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •