[asterisk-dev] Dialplan oddities with recent Asterisk ?
Tilghman Lesher
tlesher at digium.com
Tue Feb 9 17:21:29 CST 2010
On Tuesday 09 February 2010 16:52:04 Andreas Sikkema wrote:
> On Feb 9, 2010, at 11:04 PM, Tilghman Lesher wrote:
> > No, I think the only installations would be those that accept calls over
> > untrusted networks. The question is whether you can trust your users
> > not to do that. In a corporate environment, it's possible someone might
> > do that -- and face loss of his or her job. Similarly, inbound IVRs
> > don't dial out, and they are therefore not vulnerable to this scenario.
>
> I would think twice before assuming that Asterisk is not used in any of the
> situations you mentioned above. It is trivial to find more or less default
> Trixbox based systems that might have some basic security built in that
> nevertheless would be wide open to vulnerabilities like this. Let alone the
> Asterisk instances installed by well meaning but basically clueless people
> using it for LCR on their home network. If it is "easy" to filter out this
> vulnerability then I think it should be done.
I hear what you're saying, but I don't think there's an "easy" way to do that
without crippling a great many people's dialplans.
--
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org
More information about the asterisk-dev
mailing list