Asterisk Project Security Advisory - AST-2009-009
Β±-----------------------------------------------------------------------+
| Product | Asterisk |
|----------------------Β±------------------------------------------------|
| Summary | Cross-site AJAX request vulnerability |
|----------------------Β±------------------------------------------------|
| Nature of Advisory | Cross-site AJAX request exploitation |
|----------------------Β±------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------Β±------------------------------------------------|
| Severity | Minor |
|----------------------Β±------------------------------------------------|
| Exploits Known | No |
|----------------------Β±------------------------------------------------|
| Reported On | October 26, 2009 |
|----------------------Β±------------------------------------------------|
| Reported By | issues.asterisk.org user jcollie |
|----------------------Β±------------------------------------------------|
| Posted On | November 4, 2009 |
|----------------------Β±------------------------------------------------|
| Last Updated On | November 4, 2009 |
|----------------------Β±------------------------------------------------|
| Advisory Contact | Joshua Colp <jcolp AT digium DOT com> |
|----------------------Β±------------------------------------------------|
| CVE Name | CVE-2008-7220 |
Β±-----------------------------------------------------------------------+
Β±-----------------------------------------------------------------------+
| Description | Asterisk includes a demonstration AJAX based manager |
| | interface, ajamdemo.html which uses the prototype.js |
| | framework. An issue was uncovered in this framework |
| | which could allow someone to execute a cross-site AJAX |
| | request exploit. |
Β±-----------------------------------------------------------------------+
Β±-----------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions below, or apply one of the |
| | patches specified in the Patches section. |
Β±-----------------------------------------------------------------------+
Β±-----------------------------------------------------------------------+
Affected Versions |
---|
Product |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Open Source |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Open Source |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Open Source |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Open Source |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Addons |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Addons |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Addons |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Business Edition |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Business Edition |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Business Edition |
----------------------------Β±--------Β±-------------------------------- |
AsteriskNOW |
----------------------------Β±--------Β±-------------------------------- |
s800i (Asterisk Appliance) |
Β±-----------------------------------------------------------------------+ |
Β±-----------------------------------------------------------------------+
Corrected In |
---|
Product |
--------------------------------------------Β±-------------------------- |
Asterisk Open Source |
--------------------------------------------Β±-------------------------- |
Asterisk Open Source |
--------------------------------------------Β±-------------------------- |
Asterisk Open Source |
--------------------------------------------Β±-------------------------- |
Asterisk Business Edition |
--------------------------------------------Β±-------------------------- |
Asterisk Business Edition |
--------------------------------------------Β±-------------------------- |
Asterisk Business Edition |
Β±-----------------------------------------------------------------------+ |
Β±-----------------------------------------------------------------------+
Patches |
---|
SVN URL |
---------------------------------------------------------------Β±------- |
http://downloads.digium.com/pub/asa/AST-2009-009-1.4.diff.txt |
---------------------------------------------------------------Β±------- |
http://downloads.digium.com/pub/asa/AST-2009-009-1.6.0.diff.txt |
---------------------------------------------------------------Β±------- |
http://downloads.digium.com/pub/asa/AST-2009-009-1.6.1.diff.txt |
Β±-----------------------------------------------------------------------+ |
Β±-----------------------------------------------------------------------+
| Links | https://issues.asterisk.org/view.php?id=16139 |
Β±-----------------------------------------------------------------------+
Β±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-009.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-009.html |
Β±-----------------------------------------------------------------------+
Β±-----------------------------------------------------------------------+
Revision History |
---|
Date |
-----------------------Β±------------------Β±--------------------------- |
October 29, 2009 |
Β±-----------------------------------------------------------------------+ |
Asterisk Project Security Advisory - AST-2009-009
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.