[asterisk-users] Trixbox Phones Home
Jay R. Ashworth
jra at baylink.com
Mon Dec 17 11:39:41 CST 2007
On Sun, Dec 16, 2007 at 10:27:36PM -0600, Than Taro wrote:
> As I pointed out here last night, there is also a very serious
> security vulnerability associated with this. Example: An attacker
> could compromise the script that is used on the remote host, and
> set it to force clients that connect to run a command such as "rm
> -rf /". There are about half a dozen ways I could see this being
> abused - in either a "one off" or an "every installation" scenario.
> Fonality has yet to acknowledge this aspect of the issue - and I
> fear that they never will.
Ok, then I *didn't* misread the advisory. Yes: who ever thought that
*retrieving commands to execute in a privileged fashion from an
non-authenticated remote source* was a pretty neat idea?
*This* is the thing for which Fonality should be hoist, not the phone
home aspect, per se.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Witty slogan redacted until AMPTP stop screwing WGA
More information about the asterisk-users
mailing list