Wowza Community

Security breach in HTTP streaming

I need fast solution because I discovered this loophole the hard way on the production environment which is now offline until this is fixed.

This is the scenario:

There is a security module (onHTTPSessionCreate) that checks if the user is authenticated when he requests the stream with the link:

http://my.domain:1935/ChannelName/smil:channel.smil/playlist.m3u8

If the user is not authenticated session is rejected and no problem here.

Now this is happening, an authenticated user requests the link and a chunklist is returned to him

#EXTM3U
#EXT-X-VERSION:3
#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=1000000
http://my.domain:1935/ChannelName/_definst_/smil:channel.smil/chunklist_w1314649056_b1000000.m3u8
#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=2000000
http://my.domain:1935/ChannelName/_definst_/smil:channel.smil/chunklist_w1314649056_b2000000.m3u8
#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=4000000
http://my.domain:1935/ChannelName/_definst_/smil:channel.smil/chunklist_w1314649056_b4000000.m3u8

Then he opens the links in a player to keep the session opened, and then shares this links to other users.

On server we noticed this behaviour when only one connection is shown active and the download speed was corresponding for more then 100 users.

Running a test with 3 active connections on same session in the :8086/connectioncounts this was shown

<Name>ChannelName</Name>
<Status>loaded</Status>
<TimeRunning>4940.908</TimeRunning>
<ConnectionsCurrent>1</ConnectionsCurrent>
<ConnectionsTotal>2</ConnectionsTotal>
<ConnectionsTotalAccepted>2</ConnectionsTotalAccepted>
<ConnectionsTotalRejected>0</ConnectionsTotalRejected>
<MessagesInBytesRate>1034681.0</MessagesInBytesRate>
<MessagesOutBytesRate>589403.0</MessagesOutBytesRate>

Also when openening the chunklist link directly

http://my.domain:1935/ChannelName/definst/smil:channel.smil/chunklist_w1314649056_b1000000.m3u8

the method onHTTPSessionCreate is not called, it is called only when first connection to the playlist is requested.

Regards,

Hi,

If you believe you have found a vulnerability in the Wowza security section then please post your findings to support@wowza.com. This will raise a ticket and will be quickly looked at.

Please include zipped up copies of,

[install-path]/conf

[install-path]/logs

[install-path]/manager

and any other content or detail which will help us to identify the problem.

However, if you are running Wowza Streaming Engine (version 4x), you may wish to perform an update first as there may have been a relevant patch added,

Software Updates

How to apply a software update

The update process will preserve your current configuration.

Kind regards,

Paul

Just to update the thread, it was resolved via ticket.

The solution is to implement IVHostHTTPStreamerRequestValidator which will allow me to register all access even to the chunklist.

Thanks

Regards,