← Advisories

Wowza Streaming Engine 4.5.0 CSRF Add Advanced Admin Exploit

Medium
Advisory ID
ZSL-2016-5341
Release Date
19 July 2016
Vendor
Wowza Media Systems, LLC. - https://www.wowza.com
Affected Version
4.5.0 (build 18676)
CVE
CVE-2016-20035
Tested On
Winstone Servlet Engine v1.0.5, Servlet/2.5 (Winstone/1.0.5)
Summary

Wowza Streaming Engine is robust, customizable, and scalable server software that powers reliable video and audio streaming to any device. Learn the benefits of using Wowza Streaming Engine to deliver high-quality live and on-demand video content to any device.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept
wowza_csrf.txtTXT
Disclosure Timeline
03.07.2016Vulnerability discovered.
09.07.2016Contact with the vendor.
18.07.2016No response from the vendor.
19.07.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/40134/
[2]https://packetstormsecurity.com/files/137973
[3]https://cxsecurity.com/issue/WLB-2016070153
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/115115
[5]https://www.cve.org/CVERecord?id=CVE-2016-20035
Changelog
19.07.2016Initial release
22.07.2016Added reference [1], [2] and [3]
26.07.2016Added reference [4]
24.03.2026Added reference [5]