Summary: | ASTERISK-23609: Security: AMI action MixMonitor allows arbitrary programs to be run | ||
Reporter: | Corey Farrell (coreyfarrell) | Labels: | Security |
Date Opened: | 2014-04-09 18:31:03 | Date Closed: | 2014-06-12 10:24:25 |
Priority: | Major | Regression? | |
Status: | Closed/Complete | Components: | Applications/app_mixmonitor |
Versions: | SVN 11.8.1 12.1.1 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ||
Description: | The AMI MixMonitor action does not require permissions, but allows the AMI user to execute arbitrary programs by appending Options in Asterisk 11+, or through direct use of the new Command parameter. I'm not sure which permission should be required, but something more than 0.
This issue was noticed when I saw r412048 on asterisk-commits. | ||
Comments: |