[asterisk-users] Trixbox Arbitrary Command Execution Vulnerability
Than Taro
thanrantaro at live.com
Sat Dec 15 22:42:29 CST 2007
A
set of scripts were recently discovered in the trixbox line of PBX
products, which connect to a remote host every 24 hours, to retrieve an arbitrary
list of commands to be executed locally. These scripts were added
under the guise of submitting 'anonymous usage statistics', however,
with the help of DNS pollution, or malice on the part of the sponsoring
company (Fonality), all up-to-date versions of trixbox could be
instantly disabled, or worse.
According to trixbox Community
Director, Kerry Gerrison, a new version of trixbox will be available by
December 18th which will allow you to 'opt-out' (meaning that it will
still be enabled by default) of this behavior.
Further details:
http://www.trixbox.org/forums/trixbox-forums/open-discussion/trixbox-phones-home
http://www.trixbox.org/trixboxs-new-hardware-audting-tool
_________________________________________________________________
Share life as it happens with the new Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_122007
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071215/14083582/attachment.htm
More information about the asterisk-users
mailing list