[asterisk-bugs] [JIRA] (ASTERISK-23609) Security: AMI action MixMonitor allows arbitrary programs to be run

Matt Jordan (JIRA) noreply at issues.asterisk.org
Tue Jul 8 09:56:11 CDT 2014


     [ https://issues.asterisk.org/jira/browse/ASTERISK-23609?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Jordan updated ASTERISK-23609:
-----------------------------------

    Target Release Version/s: 12.4.0

> Security: AMI action MixMonitor allows arbitrary programs to be run
> -------------------------------------------------------------------
>
>                 Key: ASTERISK-23609
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23609
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Applications/app_mixmonitor
>    Affects Versions: SVN, 11.8.1, 12.1.1
>            Reporter: Corey Farrell
>            Assignee: Jonathan Rose
>              Labels: Security
>      Target Release: 11.10.1, 11.11.0, 12.3.1, 12.4.0
>
>
> The AMI MixMonitor action does not require permissions, but allows the AMI user to execute arbitrary programs by appending Options in Asterisk 11+, or through direct use of the new Command parameter.  I'm not sure which permission should be required, but something more than 0.
> This issue was noticed when I saw r412048 on asterisk-commits.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list