Summary: | ASTERISK-16613: [patch] MeetMe PIN handling broken | ||
Reporter: | kuj (kuj) | Labels: | |
Date Opened: | 2010-08-24 20:35:13 | Date Closed: | 2010-10-05 09:47:54 |
Priority: | Minor | Regression? | No |
Status: | Closed/Complete | Components: | Applications/app_meetme |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) meetme_pins.patch ( 1) pins_2.patch | |
Description: | The handling of PINs in app_meetme is broken. Users are prompted for PINs that don't exist, and regular users can gain conference admin privileges without a conference's admin PIN. ****** ADDITIONAL INFORMATION ****** conf => 100,,1 When entering MeetMe without the "a" flag, normal user is still prompted for PIN. Must press "#" to proceed, confusing users. conf => 100,1,2 When entering MeetMe without "a" flag, both 1 and 2 are accepted as valid passwords (good). However, if MeetMe is called with "a" flag, and user enters 1 for PIN, they will gain admin privileges (bad). Conf PIN and admin PIN are used interchangeably in the code. The changes introduced with resolution of issue 0015704 cause the first problem. Verified to also exists in 1.8.0-beta(3|4), most likely the same in 1.6.x. | ||
Comments: | By: kuj (kuj) 2010-08-24 20:37:05 meetme_pins.patch reverts patch for 0015704, and provides tighter checks for PINs to be used for gaining ADMIN_mode. By: kuj (kuj) 2010-08-31 18:14:08 Patch for 1.8.0-beta4 is analogous to posted patch, except it uses ast_test_flag64() instead of ast_test_flag(). By: kuj (kuj) 2010-08-31 19:06:57 Dialplan used for testing: exten => 100,1,Goto(confline,s,1) exten => 101,1,Goto(confline-adm,s,1) [confline] exten => s,1,Background(enter-conf-call-number) exten => s,n,WaitExten(20) ; Participants always dial a 3-digit conference number, optionally followed ; by the #-sign exten => _XXX,1,MeetMe(${EXTEN},xwsp) exten => _XXX,n,Hangup() exten => _XXX#,1,Goto(${EXTEN:-4:3},1) ; emulates "StripLSD(1)" [confline-adm] identical to [confline] except for MeetMe flags used: "Aaxs" meetme.conf: ============ conf => 200 conf => 201,1 conf => 202,,2 conf => 203,1,2 test results: ============= (key: n/p: not prompted for pin, logged into meetme successfully, U: prompts for PIN, login successful with "user pin" (or single PIN) A: prompts for PIN, login successful with "admin pin" U+A: either PIN accepted) E/C | 200 | 201 | 202 | 203 ---------------------------------------------- 100 | n/p | U | n/p | U+A 101 | n/p | n/p | A | A I believe the combo 101/201 (trying to become admin, with only one PIN set on the conference) should prompt for a PIN, and should accept the single PIN for admin mode. Therefore, my original patch was incomplete. pins_2.patch fixes this oversight, and yields the following test results: E/C | 200 | 201 | 202 | 203 ---------------------------------------------- 100 | n/p | U | n/p | U+A 101 | n/p | U | A | A That should be exactly what I would expect from the PIN check. By: Digium Subversion (svnbot) 2010-09-20 18:57:09 Repository: asterisk Revision: 287758 U branches/1.4/apps/app_meetme.c ------------------------------------------------------------------------ r287758 | bbryant | 2010-09-20 18:57:08 -0500 (Mon, 20 Sep 2010) | 16 lines Fix misvalidation of meetme pins in conjunction with the 'a' MeetMe flag. When using the 'a' MeetMe flag and having a user and admin pin setup for your conference, using the user pin would gain you admin priviledges. Also, when no user pin was set, an admin pin was, the 'a' MeetMe flag wasn't used, and the user tried to enter a conference then they were still prompted for a pin and forced to hit #. (closes issue ASTERISK-16613) Reported by: kuj Patches: pins_2.patch uploaded by kuj (license 1111) Tested by: kuj Review: [full review board URL with trailing slash] ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=287758 By: Digium Subversion (svnbot) 2010-09-20 18:58:27 Repository: asterisk Revision: 287759 _U branches/1.6.2/ U branches/1.6.2/apps/app_meetme.c ------------------------------------------------------------------------ r287759 | bbryant | 2010-09-20 18:58:27 -0500 (Mon, 20 Sep 2010) | 23 lines Merged revisions 287758 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r287758 | bbryant | 2010-09-20 19:57:08 -0400 (Mon, 20 Sep 2010) | 16 lines Fix misvalidation of meetme pins in conjunction with the 'a' MeetMe flag. When using the 'a' MeetMe flag and having a user and admin pin setup for your conference, using the user pin would gain you admin priviledges. Also, when no user pin was set, an admin pin was, the 'a' MeetMe flag wasn't used, and the user tried to enter a conference then they were still prompted for a pin and forced to hit #. (closes issue ASTERISK-16613) Reported by: kuj Patches: pins_2.patch uploaded by kuj (license 1111) Tested by: kuj Review: [full review board URL with trailing slash] ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=287759 By: Digium Subversion (svnbot) 2010-09-20 19:00:24 Repository: asterisk Revision: 287760 _U branches/1.8/ U branches/1.8/apps/app_meetme.c ------------------------------------------------------------------------ r287760 | bbryant | 2010-09-20 19:00:24 -0500 (Mon, 20 Sep 2010) | 30 lines Merged revisions 287759 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.6.2 ................ r287759 | bbryant | 2010-09-20 19:58:26 -0400 (Mon, 20 Sep 2010) | 23 lines Merged revisions 287758 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r287758 | bbryant | 2010-09-20 19:57:08 -0400 (Mon, 20 Sep 2010) | 16 lines Fix misvalidation of meetme pins in conjunction with the 'a' MeetMe flag. When using the 'a' MeetMe flag and having a user and admin pin setup for your conference, using the user pin would gain you admin priviledges. Also, when no user pin was set, an admin pin was, the 'a' MeetMe flag wasn't used, and the user tried to enter a conference then they were still prompted for a pin and forced to hit #. (closes issue ASTERISK-16613) Reported by: kuj Patches: pins_2.patch uploaded by kuj (license 1111) Tested by: kuj Review: [full review board URL with trailing slash] ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=287760 By: Digium Subversion (svnbot) 2010-09-20 19:04:55 Repository: asterisk Revision: 287763 _U trunk/ U trunk/apps/app_meetme.c ------------------------------------------------------------------------ r287763 | bbryant | 2010-09-20 19:04:55 -0500 (Mon, 20 Sep 2010) | 37 lines Merged revisions 287760 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.8 ................ r287760 | bbryant | 2010-09-20 20:00:23 -0400 (Mon, 20 Sep 2010) | 30 lines Merged revisions 287759 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.6.2 ................ r287759 | bbryant | 2010-09-20 19:58:26 -0400 (Mon, 20 Sep 2010) | 23 lines Merged revisions 287758 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r287758 | bbryant | 2010-09-20 19:57:08 -0400 (Mon, 20 Sep 2010) | 16 lines Fix misvalidation of meetme pins in conjunction with the 'a' MeetMe flag. When using the 'a' MeetMe flag and having a user and admin pin setup for your conference, using the user pin would gain you admin priviledges. Also, when no user pin was set, an admin pin was, the 'a' MeetMe flag wasn't used, and the user tried to enter a conference then they were still prompted for a pin and forced to hit #. (closes issue ASTERISK-16613) Reported by: kuj Patches: pins_2.patch uploaded by kuj (license 1111) Tested by: kuj Review: [full review board URL with trailing slash] ........ ................ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=287763 |