[asterisk-bugs] [JIRA] (ASTERISK-23609) Security: AMI action MixMonitor allows arbitrary programs to be run
Matt Jordan (JIRA)
noreply at issues.asterisk.org
Thu Jun 12 15:52:59 CDT 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-23609?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Jordan updated ASTERISK-23609:
-----------------------------------
Security: (was: Reporter, Bug Marshals, and Digium)
> Security: AMI action MixMonitor allows arbitrary programs to be run
> -------------------------------------------------------------------
>
> Key: ASTERISK-23609
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-23609
> Project: Asterisk
> Issue Type: Bug
> Components: Applications/app_mixmonitor
> Affects Versions: SVN, 11.8.1, 12.1.1
> Reporter: Corey Farrell
> Assignee: Jonathan Rose
> Labels: Security
> Target Release: 11.10.1, 12.3.1
>
>
> The AMI MixMonitor action does not require permissions, but allows the AMI user to execute arbitrary programs by appending Options in Asterisk 11+, or through direct use of the new Command parameter. I'm not sure which permission should be required, but something more than 0.
> This issue was noticed when I saw r412048 on asterisk-commits.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list