Hi, The next URL: http://pbx.example.com/asterisk/configs/asterisk/ disclouse information about pbx manager files, i think that this can be protected in any mather. We add an index.html to the directories to not permit display information about files directories. Any body have an idea to apply a security patch more robust?
eeman, but this security
eeman, but this security break applies to user webmin (where user can change voicemail settings, tenants managmenet, for example) not in provisioning link.
Thanks
Regards
That does not occur on my
That does not occur on my servers unless logged in as a valid user (of which i have a record of login/logout) in which case they are only observing default configurations, the same ones someone could download off the internet. Do you have a better example of risk? AFAIK the contents of /usr/libexec/webmin/asterisk is very generic and nothing is in here that isnt already obtainable by downloading the webmin module from the website.
dont use http provisioning. it is your weakest link.