AST-2014-017 - app_confbridge: permission escalation/ class authorization. - asterisk.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Kevin Harwell <kharwell@digium.com>	2014-11-20 15:57:23 +0000
committer	Kevin Harwell <kharwell@digium.com>	2014-11-20 15:57:23 +0000
commit	a389f2d7a00c5f73e077a11fe5ee1b5a893ad81c (patch)
tree	aebec0615d517307586be878c351607554aef5dd /res/res_pjsip_acl.c
parent	1c88ca9d31b34f68fa2a9f800c1464ab58613bea (diff)

AST-2014-017 - app_confbridge: permission escalation/ class authorization.

Confbridge dialplan function permission escalation via AMI and inappropriate class authorization on the ConfbridgeStartRecord action. The CONFBRIDGE dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation. Also, the AMI action “ConfbridgeStartRecord” could also be used to execute arbitrary system commands without first checking for system access. The AMI “ConfbridgeStopRecord” has also been updated to only run under a system authorization. Asterisk now inhibits the CONFBRIDGE function from being executed from an external interface if the live_dangerously option is set to no. Also, the “ConfbridgeStartRecord” AMI action is now only allowed to execute under a user with system level access. ASTERISK-24490 Reported by: Gareth Palmer ........ Merged revisions 428332 from http://svn.asterisk.org/svn/asterisk/branches/11 ........ Merged revisions 428334 from http://svn.asterisk.org/svn/asterisk/branches/12 ........ Merged revisions 428339 from http://svn.asterisk.org/svn/asterisk/branches/13 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@428342 65c4cc65-6c06-0410-ace0-fbb531ad65f3

Diffstat (limited to 'res/res_pjsip_acl.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: