[Live-devel] Unauthenticated path traversal via RTSP DESCRIBE
Ross Finlayson
finlayson at live555.com
Tue Jun 2 23:45:34 PDT 2026
I do not consider this to be a bug or a ‘vulnerability’. In fact, it is a ‘feature’. A streamable media file can be placed anywhere in the file system, and - as long as it can be read by the “LIVE555 Media Server” - it can be streamed using an appropriate URL.
Note that the “LIVE555 Media Server” will read only streamable media files - not other (non-media) files (such as password files, for instance). Also, if you want the “LIVE555 Media Server” to be able to access only a subset of the file system, then you easily can do so - e.g., by setting up a ‘chroot jail’.
Ross Finlayson
Live Networks, Inc.
http://www.live555.com/
More information about the live-devel
mailing list