MixMontior: Add class authorization requirements to MixMonitor AMI commands
authorJonathan Rose <jrose@digium.com>
Thu, 12 Jun 2014 15:39:52 +0000 (15:39 +0000)
committerJonathan Rose <jrose@digium.com>
Thu, 12 Jun 2014 15:39:52 +0000 (15:39 +0000)
commit70b976f084f624e2efbcfdb6a690f7ada9f151b0
tree103a753f86724f28aa61ddc1ead509458588898c
parent870394c0513d773c6c8cab9573bd27640281359e
MixMontior: Add class authorization requirements to MixMonitor AMI commands

MixMonitor AMI commands StartMixMonitor and StopMixMonitor lacked class
authorization. StopMixMonitor now requires that the manager user either have
the call or system class authorization. StartMixMonitor is a slightly larger
issue since it can execute shell commands if the right arguments are passed
into it, and we consider this a permission escalation. A security release
will be issued for problem this shortly.

ASTERISK-23609 #close
Reported by: Corey Farrell

........

Merged revisions 415825 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 415832 from http://svn.asterisk.org/svn/asterisk/branches/12

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@415834 65c4cc65-6c06-0410-ace0-fbb531ad65f3
UPGRADE.txt
apps/app_mixmonitor.c