[asterisk-dev] Dialstring injection - security advisory release?

Olle E. Johansson oej at edvina.net
Thu Feb 11 07:15:57 CST 2010


I would like to add another mail thread here.

I think it would be good for the Asterisk project if we put out a more official document with a security advisory about this security issue. We need to update/add examples in configs/extension.conf in all releases and propably add a document in doc/ for this too.

At the core is this issue is this advice:

"If you take the incoming called number from a voip protocol that allows alphanumeric dialling and use that unfiltered for dialing out, ther e is an obvious risk that the caller injects data that can be parsed as an additional dialstring by the dial() application in Asterisk. 
We advise everyone to filter out the ampersand (&) character from the extension before using it as a dialstring for the dial() application. There are many ways to do this, one is using the CUT dialplan function to take only the first part or the FILTER dialplan function to filter out the dangerous character or deny the call."

The advisory document needs a few examples using CUT, FILTER and possibly REGEX as well.

After this is done, we can discuss future changes in future versions of Asterisk and possibly enhancements to current releases, but I feel it's important to speed up this information.

What do you think?

/O





More information about the asterisk-dev mailing list