![]() ![]() ![]() By randomly choosing different virtual host names, a malicious attacker is able to exhaust filesystem resources, resulting in a denial of service (DoS) condition on the affected application. Each time a new virtual host is requested, a 280 KB file is created on the filesystem. Summary: An authenticated user that views Virtual Host Monitoring historical data is able to forge an HTTP request to view a non-existing virtual host.2 - Uncontrolled Resource Consumption - CWE-400 This is not true in the case of user creation, where that parameter is present and correctly validated.īy exploiting this issue, a remote attacker is able to delete every user on Wowza Streaming Engine on behalf of a regular platform administrator. In this case, the application accepts the request and processes it every time. It was also found that the wowzaSecurityToken HTTP parameter is not present in this GET request. The request will be sent to the web application, and the user will be deleted: Select Submit request, to force the administrator to delete the selected user. Then, Copy the following HTML to a file served on another machine, in this case a local Kali Linux, in the file: /var/startįrom an authenticated browser session to Wowza Streaming Engine with administrative privileges, open a new tab and go to the page. I have found two security issues on Wowza Streaming Engine Users -> Add User.
0 Comments
Leave a Reply. |