← Advisories

Wowza Streaming Engine 4.5.0 Cleartext Storage Of Sensitive Information

Medium

Advisory ID

ZSL-2016-5342

Release Date

19 July 2016

Vendor

Wowza Media Systems, LLC. - https://www.wowza.com

Affected Version

4.5.0 (build 18676)

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Winstone Servlet Engine v1.0.5, Servlet/2.5 (Winstone/1.0.5)

Summary

Wowza Streaming Engine is robust, customizable, and scalable server software that powers reliable video and audio streaming to any device. Learn the benefits of using Wowza Streaming Engine to deliver high-quality live and on-demand video content to any device.

Description

The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. When the file is modified it is automatically applied into the application with newly created user account. Wowza stores sensitive information such as username and password in cleartext in admin.password file, which is readable by local users.

Proof of Concept

wowza_plainstr.txtTXT

Disclosure Timeline

03.07.2016Vulnerability discovered.

09.07.2016Contact with the vendor.

18.07.2016No response from the vendor.

19.07.2016Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/137974

[2]https://cxsecurity.com/issue/WLB-2016070154

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/115126

Changelog

19.07.2016Initial release

22.07.2016Added reference [1] and [2]

26.07.2016Added reference [3]