+++ This bug was initially created as a clone of Bug #284874 +++
(prototypejs) before 18.104.22.168 allows attackers to make "cross-site
ajax requests" via unknown vectors.
Asterisk 22.214.171.124 ships prototype 1.4.0 in static-http/prototype.js
It is possible to determine if a peer with a specific name is configured in Asterisk by sending a specially crafted REGISTER message twice. The username that is to be checked is put in the user portion of the URI in the To header. A bogus non-matching value is put into the username portion of the Digest in the Authorization header. If the peer does exist the second REGISTER will receive a response of “403 Authentication user name does not match account name”. If the peer does not exist the response will be “404 Not Found” if alwaysauthreject is disabled and “401 Unauthorized” if alwaysauthreject is enabled.
Asterisk includes a demonstration AJAX based manager interface, ajamdemo.html which uses the prototype.js framework. An issue was uncovered in this framework which could allow someone to execute a cross-site AJAX request exploit.
voip: Please bump.
+*asterisk-126.96.36.199 (04 Nov 2009)
+*asterisk-1.2.36 (04 Nov 2009)
+ 04 Nov 2009; <firstname.lastname@example.org> -asterisk-1.2.35-r1.ebuild,
+ +asterisk-1.2.36.ebuild, -asterisk-188.8.131.52.ebuild,
+ -asterisk-184.108.40.206-r1.ebuild, +asterisk-220.127.116.11.ebuild:
+ Version bumps as requested by Alex "a3li" Legler in security bug #284892,
+ drop any non-stable vulnerable ebuild. Upstream advisory AST-2009-008.
Arch teams, please stable net-misc/asterisk-1.2.36
Target keywords: alpha amd64 ppc sparc x86
Recommend compile test & attempt to run (default configuration should allow the daemon to start and stop with green OK from /etc/init.d/asterisk).
+ 05 Nov 2009; <email@example.com> asterisk-1.2.36.ebuild:
+ Marked stable on AMD64 for security bug #284892, based on compilation &
+ start/stop init.d test on default configuration.
Stable on alpha.
Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 18.104.22.168,
1.6.0.x before 22.214.171.124, and 1.6.1.x before 126.96.36.199; Business Edition
A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x
before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 188.8.131.52
generate different error messages depending on whether a SIP username
is valid, allows remote attackers to enumerate valid usernames via
multiple crafted REGISTER messages with inconsistent usernames in the
URI in the To header and the Digest in the Authorization header.
Marked ppc stable.