Re: [asterisk-users] Trixbox Phones Home

Sun, 16 Dec 2007 21:18:59 -0800 

As I pointed out here last night, there is also a very serious security 
vulnerability associated with this.  Example: An attacker could compromise the 
script that is used on the remote host, and set it to force clients that 
connect to run a command such as "rm -rf /".  There are about half a dozen ways 
I could see this being abused - in either a "one off" or an "every 
installation" scenario.  Fonality has yet to acknowledge this aspect of the 
issue - and I fear that they never will.

See:
http://voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002522.html


P.S.: On behalf of Rob (of FreePBX fame), I'd like to also point out this
this is something that was added to trixbox, and not FreePBX.  Quoting
Rob: "when someone mistakenly says 'trixbox does...' they usually mean
'freepbx does...' as FreePBX is the GUI Trixbox uses to configure
Asterisk".  In this instance, that is not the case - it is only a
trixbox issue.

> From: [EMAIL PROTECTED]
> To: [email protected]; [EMAIL PROTECTED]
> Date: Sun, 16 Dec 2007 20:53:53 -0500
> Subject: [asterisk-users] Trixbox Phones Home
> 
>       I just read on Slashdot (at
> http://yro.slashdot.org/article.pl?sid=07/12/16/222243 ) that Trixbox
> "has been phoning home with statistics about their installations", as a
> Trixbox user exposed in "Trixbox Phones Home" at
> http://www.trixbox.org/forums/trixbox-forums/open-discussion/trixbox-phones-home
>  .
> -- 
> 
> (C) Matthew Rubenstein
> 
> 
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

_________________________________________________________________
The best games are on Xbox 360.  Click here for a special offer on an Xbox 360 
Console.
http://www.xbox.com/en-US/hardware/wheretobuy/
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to