[asterisk-bugs] [Asterisk 0011749]: [patch] AMI challenge/response authentication uses user supplied secret to calculate hash

noreply at bugs.digium.com noreply at bugs.digium.com
Mon Jan 14 14:00:14 CST 2008 

The following issue has been ASSIGNED. 
====================================================================== 
http://bugs.digium.com/view.php?id=11749 
====================================================================== 
Reported By:                srt
Assigned To:                file
====================================================================== 
Project:                    Asterisk
Issue ID:                   11749
Category:                   Core/ManagerInterface
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     assigned
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!): 98514 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             01-12-2008 09:40 CST
Last Modified:              01-14-2008 14:00 CST
====================================================================== 
Summary:                    [patch] AMI challenge/response authentication uses
user supplied secret to calculate hash
Description: 
When using challenge/reponse authentication with AMI the "Login" action
uses the secret supplied with the "Login" action instead of the one from
manager.conf to calculate the MD5 hash.
This has two effects:
1. Login with "AuthType: MD5" and "Key:" but without a "Secret:" always
fails
2. Anybody who knows a valid username can login without knowing the secret
configured in manager.conf
====================================================================== 

---------------------------------------------------------------------- 
 svnbot - 01-14-08 14:00  
---------------------------------------------------------------------- 
Repository: asterisk
Revision: 98830

U   trunk/main/manager.c

------------------------------------------------------------------------
r98830 | file | 2008-01-14 14:00:11 -0600 (Mon, 14 Jan 2008) | 4 lines

Make sure the user's manager secret exists, even if it is blank.
(closes issue http://bugs.digium.com/view.php?id=11749)
Reported by: srt

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=98830 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
01-14-08 14:00  svnbot         Checkin                                      
01-14-08 14:00  svnbot         Note Added: 0076920                          
01-14-08 14:00  svnbot         Status                   new => assigned     
01-14-08 14:00  svnbot         Assigned To               => file            
======================================================================

More information about the asterisk-bugs mailing list