Skip to main content

Securitiy Issues

Posted by Mauricio Lopez on Tue, 12/02/2008

Hi, The next URL: http://pbx.example.com/asterisk/configs/asterisk/ disclouse information about pbx manager files, i think that this can be protected in any mather. We add an index.html to the directories to not permit display information about files directories. Any body have an idea to apply a security patch more robust?


Submitted by Mauricio Lopez on Mon, 12/08/2008 Permalink

eeman, but this security break applies to user webmin (where user can change voicemail settings, tenants managmenet, for example) not in provisioning link.

Thanks

Regards

Submitted by eeman on Mon, 12/08/2008 Permalink

That does not occur on my servers unless logged in as a valid user (of which i have a record of login/logout) in which case they are only observing default configurations, the same ones someone could download off the internet. Do you have a better example of risk? AFAIK the contents of /usr/libexec/webmin/asterisk is very generic and nothing is in here that isnt already obtainable by downloading the webmin module from the website.