On Sun, Dec 16, 2007 at 10:27:36PM -0600, Than Taro wrote: > As I pointed out here last night, there is also a very serious > security vulnerability associated with this. Example: An attacker > could compromise the script that is used on the remote host, and > set it to force clients that connect to run a command such as "rm > -rf /". There are about half a dozen ways I could see this being > abused - in either a "one off" or an "every installation" scenario. > Fonality has yet to acknowledge this aspect of the issue - and I > fear that they never will.
Ok, then I *didn't* misread the advisory. Yes: who ever thought that *retrieving commands to execute in a privileged fashion from an non-authenticated remote source* was a pretty neat idea? *This* is the thing for which Fonality should be hoist, not the phone home aspect, per se. Cheers, -- jra -- Jay R. Ashworth Baylink [EMAIL PROTECTED] Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Witty slogan redacted until AMPTP stop screwing WGA _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
