[asterisk-bugs] [Asterisk 0011749]: [patch] AMI challenge/response authentication uses user supplied secret to calculate hash

noreply at bugs.digium.com noreply at bugs.digium.com
Sat Jan 12 23:26:25 CST 2008 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=11749 
====================================================================== 
Reported By:                srt
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   11749
Category:                   Core/ManagerInterface
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!): 98514 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             01-12-2008 09:40 CST
Last Modified:              01-12-2008 23:26 CST
====================================================================== 
Summary:                    [patch] AMI challenge/response authentication uses
user supplied secret to calculate hash
Description: 
When using challenge/reponse authentication with AMI the "Login" action
uses the secret supplied with the "Login" action instead of the one from
manager.conf to calculate the MD5 hash.
This has two effects:
1. Login with "AuthType: MD5" and "Key:" but without a "Secret:" always
fails
2. Anybody who knows a valid username can login without knowing the secret
configured in manager.conf
====================================================================== 

---------------------------------------------------------------------- 
 Corydon76 - 01-12-08 23:26  
---------------------------------------------------------------------- 
Actually, I think we could simply ask if (user->secret), because a blank
secret should also be valid (as would be the case without MD5 hashing). 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
01-12-08 23:26  Corydon76      Note Added: 0076833                          
======================================================================

More information about the asterisk-bugs mailing list