| Summary: | ASTERISK-23609: Security: AMI action MixMonitor allows arbitrary programs to be run | ||
| Reporter: | Corey Farrell (coreyfarrell) | Labels: | Security |
| Date Opened: | 2014-04-09 18:31:03 | Date Closed: | 2014-06-12 10:24:25 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | Applications/app_mixmonitor |
| Versions: | SVN 11.8.1 12.1.1 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | The AMI MixMonitor action does not require permissions, but allows the AMI user to execute arbitrary programs by appending Options in Asterisk 11+, or through direct use of the new Command parameter. I'm not sure which permission should be required, but something more than 0.
This issue was noticed when I saw r412048 on asterisk-commits. | ||
| Comments: | |||