[asterisk-dev] AMI 'originate' permission is broken [was: Re: AST-2012-012: Asterisk Manager User Unauthorized Shell Access]

Tzafrir Cohen tzafrir.cohen at xorcom.com
Mon Sep 3 08:33:34 CDT 2012


On Sat, Sep 01, 2012 at 07:33:29PM -0500, Matthew  Jordan wrote:

> > > So maybe this means that the 'originate' permission should not
> > > grant
> > > permission to the 'Application' form of originating a call?
> > > 'originate'
> > > should be a simple method of creating a call to an existing
> > > context.
> 
> There are still ways around this, unless you want to parse and validate
> every application/data fields passed in with an Originate action.  

If Application is given, the 'originate' permission will not be used. So
we don't need to worry about this one.

> Even then,
> the fact that you can create a Local channel and send one half of it into
> any arbitrary context means you can exploit poorly written dialplans.

Olle's suggested fix of limiting a context mitigates that: the context
you do expose should not have that.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir



More information about the asterisk-dev mailing list