Product: Wowza Media Server URL: http://www.wowza.com/ Description: WMS is a quite popular RTMP/HLS/HDS/RTSP streaming server Issue: By default all installations of WMS use four modules in their application's config file: base, properties, logging, flvplayback. I've found out that the `properties` module allows unauthenticated attacker to get/set various properties (Client, MediaStream, ApplicationInstance, and Application). Since ApplicationInstance properties are commonly used to store sensitive data (for instance `secureTokenSharedSecret` property used to secure origin-edge and/or client-origin RTMP connections, backend credentials, etc) this poses non-trivial risk. Fetching the abovementioned `secureTokenSharedSecret` property from the streaming server allows attacker to easily employ rtmpdump (and the like) to dump VOD files and/or in extreme cases re-stream directly from origin. As a demo I've implemented straightforward patch to JWPlayer (popular Flash player) that bypasses SecureToken protection on the fly. This demo is available in a long-winded blog post at my company's website: http://tinyurl.com/wontyoupleasethinkoftheusers As for the `logging` module, this can be used to fill logfile with nonsensical log entries (and worse). Workaround: Disable both `properties` and `logging` modules unless you absolutely need them (99% of the people running WMS probably don't) or wait for vendor fix. Timeline: * 2013-04-06 Wowza Media Services contacted about this issue * 2013-04-08 Wowza rep states that this is a non-issue and accuses me of scaremongering * 2013-04-19 After subsequent rounds of communication, Wowza rep threatens to "reevaluate" my independent consultant status if this info disclosed * 2013-04-27 Contacting Wowza rep with non-public preview of this post including the JWPlayer demo (last shot at responsible disclosure) * 2013-04-28 Wowza rep responds with more indirect threats, info that this will be resolved sometime in the future and a plea "won't you please think of the users" * 2013-04-30 Public release due to vendor's non-cooperation M. -- Michal J. "I honestly think it is better to be a failure at something you love than to be a success at something you hate..." -- George Burns