Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the Wowza Streaming Engine 4.5.0 enginemanager interface for reflected cross-site scripting (XSS) issues. Specifically, you can attempt to inject script payloads into parameters such as appName, vhost, uiAppType, and wowzaCloudDestinationType in various endpoints and observe if the input is improperly reflected back without sanitization.'}, {'type': 'paragraph', 'content': 'Some endpoints to test include URLs like /enginemanager/applications/live/main/view.htm and /enginemanager/applications/liveedge/main/edit.htm among others. You can use tools like curl or a web proxy/interceptor (e.g., Burp Suite) to send crafted requests with script tags in these parameters.'}, {'type': 'list_item', 'content': 'Example curl command to test appName parameter for XSS: curl -G "http://<wowza-server>/enginemanager/applications/live/main/view.htm" --data-urlencode "appName=<script>alert(1)</script>"'}, {'type': 'list_item', 'content': 'Use a web browser or automated scanner to check if the injected script executes or appears in the response HTML.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Wowza Streaming Engine enginemanager interface to trusted users only, ideally behind a VPN or firewall, to reduce exposure to attackers.

Avoid interacting with the vulnerable parameters (appName, vhost, uiAppType, wowzaCloudDestinationType) with untrusted input until a patch or update is applied.

Monitor for updates or patches from Wowza Media Systems addressing these reflected XSS vulnerabilities and apply them as soon as they become available.

Consider using web application firewalls (WAFs) that can detect and block reflected XSS attack patterns targeting these parameters.

Useful 0 Not Useful 0

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2016-20036 is a set of multiple reflected cross-site scripting (XSS) vulnerabilities found in Wowza Streaming Engine version 4.5.0, specifically in the enginemanager interface.'}, {'type': 'paragraph', 'content': 'The issue arises because input passed through various parameters such as appName, vhost, uiAppType, and wowzaCloudDestinationType is not properly sanitized before being reflected back to users.'}, {'type': 'paragraph', 'content': "This improper input handling allows attackers to inject malicious HTML and JavaScript code that executes within a user's browser session when they interact with the affected interface."}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can allow attackers to execute arbitrary HTML and JavaScript code in the context of a user's browser session when interacting with the Wowza Streaming Engine management interface."}, {'type': 'list_item', 'content': 'Attackers can hijack user sessions.'}, {'type': 'list_item', 'content': 'They may perform actions such as defacement or injecting malicious content.'}, {'type': 'list_item', 'content': 'It can lead to unauthorized actions being performed on behalf of the user.'}, {'type': 'paragraph', 'content': 'The overall impact is moderate, with a CVSS v3.1 base score of 6.1, indicating a network-based attack with low complexity but requiring user interaction.'}] [1, 2, 3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0