[asterisk-bugs] [Asterisk 0011749]: [patch] AMI challenge/response authentication uses user supplied secret to calculate hash

noreply at bugs.digium.com noreply at bugs.digium.com
Sun Jan 13 05:10:16 CST 2008 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=11749 
====================================================================== 
Reported By:                srt
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   11749
Category:                   Core/ManagerInterface
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!): 98514 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             01-12-2008 09:40 CST
Last Modified:              01-13-2008 05:10 CST
====================================================================== 
Summary:                    [patch] AMI challenge/response authentication uses
user supplied secret to calculate hash
Description: 
When using challenge/reponse authentication with AMI the "Login" action
uses the secret supplied with the "Login" action instead of the one from
manager.conf to calculate the MD5 hash.
This has two effects:
1. Login with "AuthType: MD5" and "Key:" but without a "Secret:" always
fails
2. Anybody who knows a valid username can login without knowing the secret
configured in manager.conf
====================================================================== 

---------------------------------------------------------------------- 
 mvanbaak - 01-13-08 05:10  
---------------------------------------------------------------------- 
I think you are right. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
01-13-08 05:10  mvanbaak       Note Added: 0076841                          
======================================================================

More information about the asterisk-bugs mailing list