From a36c7c9c955e27e154f98e3d1c327804d7381a30 Mon Sep 17 00:00:00 2001 From: Kevin Harwell Date: Thu, 20 Nov 2014 15:29:34 +0000 Subject: [PATCH] AST-2014-018 - func_db: DB Dialplan function permission escalation via AMI. The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation. Asterisk now inhibits the DB function from being executed from an external interface if the live_dangerously option is set to no. ASTERISK-24534 Reported by: Gareth Palmer patches: submitted by Gareth Palmer (license 5169) git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@428331 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- funcs/func_db.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/funcs/func_db.c b/funcs/func_db.c index 282a962e1b..6c1d54dc94 100644 --- a/funcs/func_db.c +++ b/funcs/func_db.c @@ -282,7 +282,7 @@ static int load_module(void) { int res = 0; - res |= ast_custom_function_register(&db_function); + res |= ast_custom_function_register_escalating(&db_function, AST_CFE_BOTH); res |= ast_custom_function_register(&db_exists_function); res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ);