[asterisk-dev] Dialplan oddities with recent Asterisk ?

[Andreas Sikkema]

On Feb 9, 2010, at 11:04 PM, Tilghman Lesher wrote:

> No, I think the only installations would be those that accept calls over
> untrusted networks.  The question is whether you can trust your users
> not to do that.  In a corporate environment, it's possible someone might
> do that -- and face loss of his or her job.  Similarly, inbound IVRs don't
> dial out, and they are therefore not vulnerable to this scenario.

I would think twice before assuming that Asterisk is not used in any of the situations you mentioned above. It is trivial to find more or less default Trixbox based systems that might have some basic security built in that nevertheless would be wide open to vulnerabilities like this. Let alone the Asterisk instances installed by well meaning but basically clueless people using it for LCR on their home network. If it is "easy" to filter out this vulnerability then I think it should be done.

-- 
Andreas