Radio TV Stage Test Wowza Backdoor

We discovered an unfortunate backdoor in the wowza plugin. The problem goes as follows

When summa requests to play a file, they send two parameters

  1. rmtp://iapetus/doms?skldfhskdfhdskjhfgskd
  2. flv:filename.flv

Now, the doms plugins decode the right filename from 1, but if the doms plugin is not on the classpath, the execution just contiues onto the flvplayer. The flv player just reads the value of 2, and attempts to play it. If it is configured to request files from the correct folder, it will play. The simple workaround is to have the wowza config point to a wrong folder (so that flvplayer cannot play on it's own) but to have the domsplugins be able to decode the correct location of the video file. Thus, the video should not be played unless the domsplugin is actually run.

To test this, ensure that you have a test environment as identical as possible to stage.

  1. Access the doms search interface, that is configured to use the test instance of wowza
  2. Attempt to play a video
  3. The video should play
  4. go into the services/doms_wowza_vhost folder
  5. mv applications/lib .
  6. restart wowza
  7. Access the doms search interface, that is configured to use the test instance of wowza
  8. Attempt to play a video
  9. You should get "unable to find stream" error or something similar.