[FREEPBX-5100] Security: type=friend allows extensions to be enumerated - Sangoma Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Trivial
Resolution: Out of Date
Affects Version/s: 2.9
Fix Version/s: None
Component/s: Asterisk SIP Settings
Labels:
- friend
- security

ToDo:

Description

As reported in this thread http://www.freepbx.org/forum/freepbx/general-help/security-enumerating-extensions using type=friend for extensions results in extension enumeration vulnerability. There is really no point in using type=friend for extensions. Extensions should use type=peer by default. The circumstances where type=friend would be needed are unclear, given the fact the extensions are supposed to register. More info in this post from 2005: http://www.voip-info.org/wiki/view/Asterisk+SIP+user+vs+peer

Gliffy Diagrams

Attachments

Issue Links

relates to

FREEPBX-5306 In FreePBX Advanced Settings please allow selecting default extension type at creation

Closed

Activity

People

Assignee:

Unassigned

Reporter:

obelisk (Inactive)

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

26/Apr/11 3:25 AM

Updated:

15/Jan/19 11:41 PM

Resolved:

19/Apr/16 6:14 PM

NextupJiraPlusStatus

Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.