[asterisk-dev] Dialstring injection - security advisory release?

Olle E. Johansson oej at edvina.net
Thu Feb 11 07:43:11 CST 2010 

11 feb 2010 kl. 14.39 skrev Nick Lewis:

>> I think it would be good for the Asterisk project if we put 
>> out a more official document with a security advisory about 
>> this security issue.
> 
> +1
> 
>> The advisory document needs a few examples using CUT, FILTER 
>> and possibly REGEX as well.
> 
> I think these are just expeditious workarounds until the bug  is fixed. 

I acknowledge that we have many ideas on how to attack this, but while we are discussing this, people might have started to use it, so let's go out with a very clear message NOW that describes what can be done NOW in EXISTING installations without ANY upgrade of the code.

Thanks,
/O

> 
> It should never be acceptable for a programming language (including the
> dialplan language) to permit the content of a variable to execute code
> when it is being passed to a function. 
> 
> The & character is the dialplan language token that identifies an array
> so I think it must be escaped as part of the language and not manually
> by the programmer
> 
> -- N_L
> 
> 
> _____________________________________________________________________
> This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Control Centre.
> _____________________________________________________________________
> Disclaimer of Liability
> ATL Telecom Ltd shall not be held liable for any improper or incorrect use of the  information described and/or contained herein and assumes no responsibility for anyones use  of the information. In no event shall ATL Telecom Ltd be liable for any direct, indirect,  incidental, special, exemplary, or consequential damages (including, but not limited to,  procurement or substitute goods or services; loss of use, data, or profits; or business  interruption) however caused and on any theory of liability, whether in contract, strict  liability, or tort (including negligence or otherwise) arising in any way out of the use of  this system, even if advised of the possibility of such damage.
> 
> Registered Office: ATL Telecom Ltd, Fountain Lane, St. Mellons Cardiff, CF3 0FB
> Registered in Wales Number 4335781
> 
> All goods and services supplied by ATL Telecom Ltd are supplied subject to ATL Telecom Ltd standard terms and conditions, available upon request.
> 
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev

---
* Olle E Johansson - oej at edvina.net
* Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden

More information about the asterisk-dev mailing list