No subject


Sun Jul 19 19:54:31 CDT 2009


I think it would be good for the Asterisk project if we put out a more
official document with a security advisory about this security issue. We
need to update/add examples in configs/extension.conf in all releases and
propably add a document in doc/ for this too.

At the core is this issue is this advice:

"If you take the incoming called number from a voip protocol that allows
alphanumeric dialling and use that unfiltered for dialing out, ther e is an
obvious risk that the caller injects data that can be parsed as an
additional dialstring by the dial() application in Asterisk. 
We advise everyone to filter out the ampersand (&) character from the
extension before using it as a dialstring for the dial() application. There
are many ways to do this, one is using the CUT dialplan function to take
only the first part or the FILTER dialplan function to filter out the
dangerous character or deny the call."

The advisory document needs a few examples using CUT, FILTER and possibly
REGEX as well.

After this is done, we can discuss future changes in future versions of
Asterisk and possibly enhancements to current releases, but I feel it's
important to speed up this information. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-02-18 10:35 svnbot         Checkin                                      
2010-02-18 10:35 svnbot         Note Added: 0118223                          
======================================================================




More information about the asterisk-bugs mailing list