[asterisk-dev] AMI 'originate' permission is broken [was: Re: AST-2012-012: Asterisk Manager User Unauthorized Shell Access]
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Mon Sep 3 08:33:34 CDT 2012
On Sat, Sep 01, 2012 at 07:33:29PM -0500, Matthew Jordan wrote:
> > > So maybe this means that the 'originate' permission should not
> > > grant
> > > permission to the 'Application' form of originating a call?
> > > 'originate'
> > > should be a simple method of creating a call to an existing
> > > context.
>
> There are still ways around this, unless you want to parse and validate
> every application/data fields passed in with an Originate action.
If Application is given, the 'originate' permission will not be used. So
we don't need to worry about this one.
> Even then,
> the fact that you can create a Local channel and send one half of it into
> any arbitrary context means you can exploit poorly written dialplans.
Olle's suggested fix of limiting a context mitigates that: the context
you do expose should not have that.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-dev
mailing list