On Sun, Aug 27, 2006 at 10:05:11AM +0200, Matt Riddell (IT) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tzafrir Cohen wrote:
> > Note that the issue "exists in the code" in 1.2.11 just as it has
> > existed in 1.2.10 and before. And has much larger potential impact (as
> > usual) if Asterisk is run as root.
>
> Can you expand a little? Is 1.2.11 still vulnerable?
Right. If you use something like:
Record(${CALLERIDNAME})
then yes, your Asterisk installation is still vulnerable.
BTW, even in such a stupid case,
Record(rec-${CALLERIDNAME})
helps.
Unless I misread the advisory.
--
Tzafrir Cohen sip:[EMAIL PROTECTED]
icq#16849755 iax:[EMAIL PROTECTED]
+972-50-7952406 jabber:[EMAIL PROTECTED]
[EMAIL PROTECTED] http://www.xorcom.com
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Security mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-security
