[asterisk-gui] "Asterisk GUI" and security suggestions

Pari Nannapaneni pari at digium.com
Wed May 30 13:24:55 MST 2007


Hi everyone,

I got comments from a couple of people saying that the way GUI
executes system scripts is going to be a security concern.

The AsteriskGUI automatically adds the following context if it's not found in extensions.conf

   [asterisk_guitools]
   exten = executecommand,1,System(${command})
   exten = executecommand,n,Hangup()


and the GUI executes commands/scripts on the local machine by sending a GET command like
   action = originate &
   channel = Local/executecommand at asterisk_guitools &
   Variable = "command=sh whatever.sh" & ....

So, I am thinking of  - adding this context on login into the GUI
and removing it onLogout. This is definitely not the solution for the actual
problem, but it will prevent the security problems once the system is configured.

are there any other ways to improve/replace this in the GUI ?

-Pari


More information about the asterisk-gui mailing list