Pickup security hole in multi tenanted environment

IshMalikIshMalik
in Support
Hi

We are using version 2.26 in a multi tenanted environment. If user A clicks the call pickup button when there is no call coming in for that customer, it picks up a random call from another customer on the server. As you can appreciate that this is a serious security issue.

Can anyone try to replicate this to and see if it is a genuine bug?

Comments

  • nicolasnicolas
    Here is an excerpt from fop2.cfg, you will have to use the option that is more appropiate for your scenario/asterisk version:
    ; Call pickup uses the pickupmark variable by default. In multi tenant
; systems this might lead to problems as you might end un picking up
; some other tenant call. In that case you might want to try to 
; pickup the call by its context uncomenting the following line:
;
; no_pickupmark=1

; If your asterisk version supports the pickupchan application it is 
; much better to use this than the regular pickup application as it will
; be directed towards the channel and not the extension, makeing it
; more precise.
;
; use_pickupchan=1
Sign In or Register to comment.

© Asternic Corp 2024