[asterisk-bugs] [JIRA] (ASTERISK-30176) manager: GetConfig can read files outside of Asterisk
Friendly Automation (JIRA)
noreply at issues.asterisk.org
Sat Dec 3 10:31:51 CST 2022
[ https://issues.asterisk.org/jira/browse/ASTERISK-30176?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=260802#comment-260802 ]
Friendly Automation commented on ASTERISK-30176:
------------------------------------------------
Change 19661 merged by Friendly Automation:
manager: prevent file access outside of config dir
[https://gerrit.asterisk.org/c/asterisk/+/19661|https://gerrit.asterisk.org/c/asterisk/+/19661]
> manager: GetConfig can read files outside of Asterisk
> -----------------------------------------------------
>
> Key: ASTERISK-30176
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-30176
> Project: Asterisk
> Issue Type: Security
> Security Level: None
> Components: Core/ManagerInterface
> Affects Versions: 18.13.0
> Environment: Linux Ubuntu 20.04 LTS with asterisk built from source
> Reporter: shawty
> Severity: Blocker
> Labels: security
> Target Release: 16.29.1, 18.15.1, 19.7.1, 20.0.1
>
>
> As per the request made by "jcolp" here : https://community.asterisk.org/t/synchronising-voicemail-folders/93584/32
> I've discovered that any config file that follows the same section/key:value format as the config files asterisk uses, can be read given the files system permissions allow it, by the "GetConfig" manager command.
> Files not in the same format (such as /etc/passwd) will cause an error, but the method does still try to read them.
> I successfully managed to read the samba config file, among others on the dev server I was using for my asterisk work.
> I initially found this out, as I was looking for a way to access the TXT files that are used to store Voicemail message info, and found that by specifying the full path to the file I was able to read it.
> My curiosity being what it is, I tried this on some non asterisk files and was surprised to see that I could read those too.
> This was on a default installation, so no extra steps have been taken to lock down files and configs from other apps running on the same server instance, files do need to have the group & others read ability set, which on a default install is generally every config in /etc and many others.
> I have NOT however tested to see if writes work outside of asterisk's files.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list