On Wed, 16 Mar 2011, Vinícius Fontes wrote:
But I really don't see much of a threat on this. AGI does almost the same.
I thought you didn't want to start a flamefest :)The security risk of AGI would be 'the same' if you provide a method for a miscreant to create a file on your Asterisk server, make it executable, modify your dialplan, reload the dialplan and execute that section of the dialplan.
If all these conditions are already in place, your definition of 'secure' is different than mine.
The ability to [remotely] execute a shell command via AMI does sound interesting. Can you describe where this would be needed and could not be accomplished with existing tools like ssh and sudo?
-- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards [email protected] Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
