Security Audit Report
16 findings identified during an authorized security audit.
Critical: Asterisk call file injection (user data written to .call files without sanitization), SQL injection in CSV export filter (bypasses blacklist protection).
High: IDOR in UserController (cross-account data access), missing accessRules() on administrative actions, information disclosure of internal system details.
Pattern: Yii 1.x accessRules() coverage inconsistent. Asterisk integration introduces telephony-specific command injection.
Fix: Sanitize .call file data, use parameterized queries, add accessRules() to all actions, scope queries per-user.
Responsible disclosure.
Security Audit Report
16 findings identified during an authorized security audit.
Critical: Asterisk call file injection (user data written to .call files without sanitization), SQL injection in CSV export filter (bypasses blacklist protection).
High: IDOR in UserController (cross-account data access), missing accessRules() on administrative actions, information disclosure of internal system details.
Pattern: Yii 1.x accessRules() coverage inconsistent. Asterisk integration introduces telephony-specific command injection.
Fix: Sanitize .call file data, use parameterized queries, add accessRules() to all actions, scope queries per-user.
Responsible disclosure.