An attacker could exploit this vulnerability by requesting random virtual host historical data and exhausting available filesystem resources. This vulnerability is due to the insufficient management of available filesystem resources. CVE and CVSS Score: CVE-2021-35492 | 6.5 (Medium)Ī remote user, authenticated to the Wowza Streaming Engine web interface, through Virtual Host Monitoring section, could exhaust filesystem resources, resulting in a denial of service (DoS) condition on an affected application.Prerequisites: Valid user session with the privileges to view Virtual Host Monitoring on Wowza Streaming Engine web interface.
By randomly choosing different virtual host names, a malicious attacker is able to exhaust filesystem resources, resulting in a denial of service (DoS) condition on the affected application. Each time a new virtual host is requested, a 280 KB file is created on the filesystem.
In this case, the application accepts the request and processes it every time. It was also found that the wowzaSecurityToken HTTP parameter is not present in this GET request. The request will be sent to the web application, and the user will be deleted: Select Submit request, to force the administrator to delete the selected user. Then, Copy the following HTML to a file served on another machine, in this case a local Kali Linux, in the file: /var/startįrom an authenticated browser session to Wowza Streaming Engine with administrative privileges, open a new tab and go to the page. I have found two security issues on Wowza Streaming Engine Users -> Add User.
0 kommentar(er)
