This post is at: ForumFeatures Wanted
4 posts / 0 new
Last post
Mauricio Lopez
Mauricio Lopez's picture
Joined: 2008/09/23
Points: 0

Hi, The next URL: http://pbx.example.com/asterisk/configs/asterisk/ disclouse information about pbx manager files, i think that this can be protected in any mather. We add an index.html to the directories to not permit display information about files directories. Any body have an idea to apply a security patch more robust?

eeman
eeman's picture
Joined: 2007/11/06
Points: 260

dont use http provisioning. it is your weakest link.

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

Mauricio Lopez
Mauricio Lopez's picture
Joined: 2008/09/23
Points: 0

eeman, but this security break applies to user webmin (where user can change voicemail settings, tenants managmenet, for example) not in provisioning link.

Thanks

Regards

eeman
eeman's picture
Joined: 2007/11/06
Points: 260

That does not occur on my servers unless logged in as a valid user (of which i have a record of login/logout) in which case they are only observing default configurations, the same ones someone could download off the internet. Do you have a better example of risk? AFAIK the contents of /usr/libexec/webmin/asterisk is very generic and nothing is in here that isnt already obtainable by downloading the webmin module from the website.

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com