[asterisk-users] AST-2009-009: Cross-site AJAX request vulnerability

Asterisk Security Team security at asterisk.org
Wed Nov 4 14:12:36 CST 2009


               Asterisk Project Security Advisory - AST-2009-009

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | Cross-site AJAX request vulnerability           |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Cross-site AJAX request exploitation            |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Minor                                           |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | October 26, 2009                                |
   |----------------------+-------------------------------------------------|
   |     Reported By      | issues.asterisk.org user jcollie                |
   |----------------------+-------------------------------------------------|
   |      Posted On       | November 4, 2009                                |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | November 4, 2009                                |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Joshua Colp <jcolp AT digium DOT com>           |
   |----------------------+-------------------------------------------------|
   |       CVE Name       | CVE-2008-7220                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Asterisk includes a demonstration AJAX based manager     |
   |             | interface, ajamdemo.html which uses the prototype.js     |
   |             | framework. An issue was uncovered in this framework      |
   |             | which could allow someone to execute a cross-site AJAX   |
   |             | request exploit.                                         |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Upgrade to one of the versions below, or apply one of the |
   |            | patches specified in the Patches section.                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | All versions prior to 1.4.26.3  |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    | 1.6.0.x | All versions prior to 1.6.0.17  |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    | 1.6.1.x | All versions prior to 1.6.1.9   |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.4.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.6.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  A.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  B.x.x  | All versions prior to B.2.5.12  |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  C.x.x  | All versions prior to C.2.4.5   |
   |                            |         | and C.3.2.2                     |
   |----------------------------+---------+---------------------------------|
   |        AsteriskNOW         |   1.5   | All versions                    |
   |----------------------------+---------+---------------------------------|
   | s800i (Asterisk Appliance) |  1.2.x  | Unaffected                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                  Product                   |          Release          |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |         1.4.26.3          |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |         1.6.0.17          |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |          1.6.1.9          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |         B.2.5.12          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |          C.2.4.5          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |          C.3.2.2          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                                Patches                                 |
   |------------------------------------------------------------------------|
   |                            SVN URL                            |Revision|
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-009-1.4.diff.txt  |1.4     |
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-009-1.6.0.diff.txt|1.6.0   |
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-009-1.6.1.diff.txt|1.6.1   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |     Links      | https://issues.asterisk.org/view.php?id=16139         |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2009-009.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2009-009.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |         Date          |      Editor       |       Revisions Made       |
   |-----------------------+-------------------+----------------------------|
   | October 29, 2009      | Joshua Colp       | Initial release            |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-009
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.




More information about the asterisk-users mailing list