[asterisk-dev] AMI 'originate' permission is broken [was: Re: AST-2012-012: Asterisk Manager User Unauthorized Shell Access]
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Tue Sep 4 04:14:40 CDT 2012
On Mon, Sep 03, 2012 at 05:30:23PM -0500, Matthew Jordan wrote:
>
> ----- Original Message -----
> > From: "Tzafrir Cohen" <tzafrir.cohen at xorcom.com>
> > To: asterisk-dev at lists.digium.com
> > Sent: Monday, September 3, 2012 8:33:34 AM
> > Subject: Re: [asterisk-dev] AMI 'originate' permission is broken [was: Re: AST-2012-012: Asterisk Manager User
> > Unauthorized Shell Access]
> >
> > On Sat, Sep 01, 2012 at 07:33:29PM -0500, Matthew Jordan wrote:
> >
> >
> > If Application is given, the 'originate' permission will not be used.
> > So
> > we don't need to worry about this one.
>
> That is not the current behavior. You do not need a permission other than the
> originate permission to execute an application.
Right. But my original point in this thread was that if one can execute
an application, one can effectively create a dialplan, which is
inherently insecure.
So what I'd like to know is what's the use case for an "unpriviliged"
Originate with Application/Data?
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-dev
mailing list