----- Denis Smirnov <[EMAIL PROTECTED]> wrote: > On Sun, Aug 27, 2006 at 12:14:50PM +0300, Tzafrir Cohen wrote: > > TC> Unless I misread the advisory. > > See bug 7811. > > app_record use filename as a format string. It's very, very bad idea.
No, it is not. The input to app_record comes from the _administrator_, not from a user. The administrator has complete and total control over what is fed to app_record, and if they do something silly like allow untrusted data from a user to be part of that input, then they can expect to be vulnerable. -- Kevin P. Fleming Senior Software Engineer Digium, Inc. _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Security mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-security
