Uploaded image for project: 'FreeSWITCH'
  1. FreeSWITCH
  2. FS-451

xmlrpc fails to check security restrictions

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: mod_xml_rpc
    • Labels:
      None
    • Environment:
      FreeBSD 6.4
    • Kernel:
      FreeBSD
    • uname:
      6.4-PRERELEASE FreeBSD i386
    • Userland:
      FreeBSD
    • Distribution:
      FreeBSD
    • Compiler:
      gcc
    • Compiler Version:
      gcc (GCC) 3.4.6 [FreeBSD] 20060305
    • FreeSWITCH GIT Revision:
      13823
    • GIT Master Revision hash::
      yes

      Description

      [ I marked this as major simply because of it being a security hole. – jwehle ]

      Currently if an extension has:

      <param name="http-allowed-api" value="voicemail"/>

      and:

      http://fs:8080/api/status

      is accessed it fails with a 403. However using xmlrpc
      to invoke status works fine because the freeswitch_api
      function in mod_xml_rpc.c doesn't do any authorization
      checking. This is a security hole which allows any
      command to be executed and is fixed by the enclosed patch.

      Changes:

      1) Changed freeswitch_api from method 1 to method 2
      so it can access session information.

      2) Modified http_directory_auth so that both the user
      and domain are stored in the session information.

      3) Moved code from http_directory_auth which looks
      up a user's passwd and allowed commands into
      a new function called user_attributes.

      Call it from http_directory_auth and is_authorized.

      4) Moved code from handler_hook which checks to see
      if the user is authorized for the requested command
      into a new function called is_authorized.

      Call it from handler_hook and freeswitch_api.

      5) Fixed http_directory_auth so that a user can only login
      as the global user if the specified realm matches the
      global realm.

      6) Fixed http_directory_auth so that specifying the domain
      as part of the global user name works when authenticating.
      Previously freeswitch:works succeeded however
      freeswitch@freeswitch:works failed.

      7) Fixed the memory leak which occured in handler_hook. The
      memory allocated by dup = strdup(ti->value) was only freed
      on an unsuccessful authorization.

      8) Simplified the code in http_directory_auth which set the domain.
      Specifically:

      if (!domain_name) {
      if (dp)

      { domain_name = dp; at++; }

      else

      { XXX; }

      }

      Can be written as:

      if (!domain_name)

      { XXX; }

      Since it's impossible for dp to be set if domain_name is NULL due to
      the earlier code:

      if ((dp = strchr(user, '@')))

      { *dp++ = '\0'; domain_name = dp; at++; }

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                brian@freeswitch.org Brian West
                Reporter:
                jwehle John Wehle
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 30 minutes
                  30m
                  Remaining:
                  Remaining Estimate - 30 minutes
                  30m
                  Logged:
                  Time Spent - Not Specified
                  Not Specified