Question says it all. Cannot find anything on google or on forums regarding this or past versions of Wowza.
I highly doubt it is vulnerable (writing malicious ENV based on URL input) but it’s not impossible. Would love to have official feedback on this. Thank you!
I have tested some scenarios however as with all security options testing yourself/within your own security framework should be done to ensure it meets your set level of acceptance. We would of course be keen to hear your results.
It it important to note that the vulnerability is within shell and has been identified as the area which needs resolving.
but once running it is not possible by default to write system variables by URL input.
Andrew.
this answer is rather troubling in my opinion, as it really only addresses half of the issue, but anyone running it on *nix should already know the env vars it sets.
what about tampering with user agents? or through POST requests? the way wowza operates (to my somewhat limited knowledge) would seem to imply a specially crafted POST request could be an issue.
has this been tested at all by the wowza team, or am I better off finding out on my own?