[asterisk-dev] Dialplan oddities with recent Asterisk ?

Tilghman Lesher tlesher at digium.com
Tue Feb 9 17:21:29 CST 2010


On Tuesday 09 February 2010 16:52:04 Andreas Sikkema wrote:
> On Feb 9, 2010, at 11:04 PM, Tilghman Lesher wrote:
> > No, I think the only installations would be those that accept calls over
> > untrusted networks.  The question is whether you can trust your users
> > not to do that.  In a corporate environment, it's possible someone might
> > do that -- and face loss of his or her job.  Similarly, inbound IVRs
> > don't dial out, and they are therefore not vulnerable to this scenario.
>
> I would think twice before assuming that Asterisk is not used in any of the
> situations you mentioned above. It is trivial to find more or less default
> Trixbox based systems that might have some basic security built in that
> nevertheless would be wide open to vulnerabilities like this. Let alone the
> Asterisk instances installed by well meaning but basically clueless people
> using it for LCR on their home network. If it is "easy" to filter out this
> vulnerability then I think it should be done.

I hear what you're saying, but I don't think there's an "easy" way to do that
without crippling a great many people's dialplans.

-- 
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org



More information about the asterisk-dev mailing list