RSS Feed
« Remote Code Execution in BlogEngine.NET | Main | CUPS Local Privilege Escalation and Sandbox Escapes »

Wowza Streaming Engine Manager Directory Traversal and Local File Inclusion

Aon’s Cyber Solutions Security Testing Team (formerly GDS) recently discovered a security vulnerability affecting the Wowza Streaming Engine Manager software version, CVE-2018-19365.  The issue allows for local file inclusion with root privileges. Exploitation of this vulnerability requires authentication with an Administrator account, however a default administrator account with known or easily guessed passwords is commonly used.

ACS thanks Wowza for working together as part of the ACS coordinated disclosure process to identify, patch, and disclose this issue.  Patches are currently available in version and later.

Wowza Advisory:


The Wowza Streaming Engine Manager application allows for unauthorized access to the local file system of the server via the ‘/enginemanager/server/logs/download’ endpoint on the “logName” parameter. This allows for local files such as ‘/etc/passwd’ or ‘/etc/shadow’’ to be extracted by attackers in the form of a zip file.

Exploit URL:



HTTP/1.1 200 OK
Server: Winstone Servlet Engine v1.0.5
Content-Type: application/octet-stream Content-Disposition: attachement; filename=””
Connection: Close


The contents of /etc/shadow are included in the downloaded file.