[asterisk-dev] Dialplan oddities with recent Asterisk ?

Klaus Darilion klaus.mailinglists at pernau.at
Tue Feb 9 17:22:19 CST 2010


Tilghman Lesher wrote:
> On Tuesday 09 February 2010 12:26:51 Benny Amorsen wrote:
>> Tilghman Lesher <tlesher at digium.com> writes:
>>> I'll second this.  If you need to use the period or exclamation point in
>>> your dialplan, chances are you're providing expensive services
>>> (international) already, and you should be taking every measure to ensure
>>> that you aren't charged incorrectly.  FILTER is an excellent tool for
>>> this.
>> That would be pretty much every installation of Asterisk though,
>> wouldn't it? Except in-bound callcenters.
> 
> No, I think the only installations would be those that accept calls over
> untrusted networks.  The question is whether you can trust your users
> not to do that.  In a corporate environment, it's possible someone might
> do that -- and face loss of his or her job.  Similarly, inbound IVRs don't
> dial out, and they are therefore not vulnerable to this scenario.

The vulnerability is not just the Dial application. Every dialplan 
action which uses ${EXTEN} can be in danger!

Of course it also depends on your PSTN connectivity if such patterns may 
arive at your Asterisk server. Maybe calls arive via DUNDI? ....

regards
klaus




More information about the asterisk-dev mailing list