[Asterisk-bsd] Securing Asterisk with a DID

Christopher Arnold chris at arnold.se
Mon Aug 30 14:55:00 CDT 2010



On Mon, 30 Aug 2010, Vince Vielhaber wrote:

>
> On Mon, 30 Aug 2010, Frank Griffith wrote:
>
>> Ok, so let me see if I understand this now....
>>
>> someone could have done something like this from their SIP phone or asterisk
>> console
>>
>> dial/SIP/my_IP_ADDRESS/01159721232
>>
>> and my dial plan of course let them out because I'm a lazy hack who hasn't yet
>> tightened up on the security. Honestly, I've read TFOT volume 2 many times and
>> never would have known it would be that easy. I am working on tightening up the
>> dial plan now. It's been working for me for several years now but only in the
>> last few weeks did anything go wrong.
>
> Exactly.  And once it was discovered, whoever discovered it made it
> a point to tell everybody they know.
>
There is also an issue with ${EXTEN}, this is like an sql injection:
http://www.voip-forum.com/?p=241&preview=true

 	/Chris

http://www.arnold.se/chris/



More information about the Asterisk-BSD mailing list