[asterisk-bugs] [Asterisk 0011749]: [patch] AMI challenge/response authentication uses user supplied secret to calculate hash
noreply at bugs.digium.com
noreply at bugs.digium.com
Sat Jan 12 16:16:39 CST 2008
The following issue has been UPDATED.
======================================================================
http://bugs.digium.com/view.php?id=11749
======================================================================
Reported By: srt
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 11749
Category: Core/ManagerInterface
Reproducibility: always
Severity: major
Priority: normal
Status: new
Asterisk Version: SVN
SVN Branch (only for SVN checkouts, not tarball releases): trunk
SVN Revision (number only!): 98514
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 01-12-2008 09:40 CST
Last Modified: 01-12-2008 16:16 CST
======================================================================
Summary: [patch] AMI challenge/response authentication uses
user supplied secret to calculate hash
Description:
When using challenge/reponse authentication with AMI the "Login" action
uses the secret supplied with the "Login" action instead of the one from
manager.conf to calculate the MD5 hash.
This has two effects:
1. Login with "AuthType: MD5" and "Key:" but without a "Secret:" always
fails
2. Anybody who knows a valid username can login without knowing the secret
configured in manager.conf
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
01-12-08 16:16 mvanbaak View Status private => public
======================================================================
More information about the asterisk-bugs
mailing list