git.ipfire.org Git - thirdparty/asterisk.git/commit

author	Jonathan Rose <jrose@digium.com>
	Mon, 23 Apr 2012 14:21:30 +0000 (14:21 +0000)
committer	Jonathan Rose <jrose@digium.com>
	Mon, 23 Apr 2012 14:21:30 +0000 (14:21 +0000)
commit	6f56b53c3590657de74c7bee4082fa0c2f3f044d
tree	400873cac039c09387e3c77311f3309013de89a1	tree
parent	5991853759c04f6e5592095ba3cf6b395fc32f9e	commit \| diff

AST-2012-004: Fix an error that allows AMI users to run shell commands sans authorization.

As detailed in the advisory, AMI users without write authorization for SYSTEM class AMI
actions were able to run system commands by going through other AMI commands which did
not require that authorization. Specifically, GetVar and Status allowed users to do this
by setting their variable/s options to the SHELL or EVAL functions.
Also, within 1.8, 10, and trunk there was a similar flaw with the Originate action that
allowed users with originate permission to run MixMonitor and supply a shell command
in the Data argument. That flaw is fixed in those versions of this patch.

(closes issue ASTERISK-17465)
Reported By: David Woolley
Patches:
162_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
18_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
10_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@363117 65c4cc65-6c06-0410-ace0-fbb531ad65f3