AST-2014-018 - func_db: DB Dialplan function permission escalation via AMI.

The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation. Asterisk now inhibits the DB function from being executed from an external interface if the live_dangerously option is set to no. ASTERISK-24534 Reported by: Gareth Palmer patches: submitted by Gareth Palmer (license 5169) ........ Merged revisions 428331 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 428363 from http://svn.asterisk.org/svn/asterisk/branches/11 ........ Merged revisions 428409 from http://svn.asterisk.org/svn/asterisk/branches/12 ........ Merged revisions 428413 from http://svn.asterisk.org/svn/asterisk/branches/13 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@428418 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-10-31 02:37:10 +00:00 · 2014-11-20 16:35:21 +00:00
parent 2f97486d43
commit 2486b48cec
1 changed files with 1 additions and 1 deletions
--- a/funcs/func_db.c
+++ b/funcs/func_db.c
@@ -351,7 +351,7 @@ static int load_module(void)
 {
 	int res = 0;

-	res |= ast_custom_function_register(&db_function);
+	res |= ast_custom_function_register_escalating(&db_function, AST_CFE_BOTH);
 	res |= ast_custom_function_register(&db_exists_function);
 	res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ);
 	res |= ast_custom_function_register(&db_keys_function);