|
Description
|
|
Adam Caudill has reported multiple vulnerabilities in ViciDial Asterisk GUI Client, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct SQL injection attacks.
1) Input passed via the "extension" and "phone_ip" GET parameters is not properly sanitised before being used in a "passthru()" call in www/agc/manager_send.php. This can be exploited to inject and execute arbitrary shell commands.
2) Input passed via the "campaign" GET parameter to extras/SCRIPT_multirecording_AJAX.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerabilities are reported in version 2.8. Other versions may also be affected.
|
