[asterisk-dev] Dialstring injection - security advisory release?

Nick Lewis Nick.Lewis at atltelecom.com
Thu Feb 11 10:48:06 CST 2010


> As this is a situation where it is not a security 
> issue that is fix-it-and-forget-it, but rather is 
> an ongoing system administration issue that 
> must be dealt with appropriately in the dialplan.

I disagree. 

This does need to be fixed and not left to the dialplan programmer. 

The situation in the dialplan language is not the same as the example in
a previous post regarding sql injection in php. In sql and php the
escaping mechanisms that separate data and syntax are different in each
language so it is not reasonable to expect php to protect sql. The
programmer must do it. 

It is however reasonable to expect php to protect itself and it does. No
variable or array element can cause code to be injected in php. I wonder
whether the php team would issue a best practice document if it was
found that, when passed to a function, a string containing for example:

mystring");exec("poweroff"); 

caused the host to poweroff . I am hopeful that they would issue a
security alert with mitigation advice but that they would also fix php.

I think that the vunerabilities with arrays in the dialplan language are
similar to this and represent a bug in the language that is not just a
result of poor usage. Therefore I feel that action should be taken to
fix the problem.

-- N_L


_____________________________________________________________________
This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Control Centre.
_____________________________________________________________________
Disclaimer of Liability
ATL Telecom Ltd shall not be held liable for any improper or incorrect use of the  information described and/or contained herein and assumes no responsibility for anyones use  of the information. In no event shall ATL Telecom Ltd be liable for any direct, indirect,  incidental, special, exemplary, or consequential damages (including, but not limited to,  procurement or substitute goods or services; loss of use, data, or profits; or business  interruption) however caused and on any theory of liability, whether in contract, strict  liability, or tort (including negligence or otherwise) arising in any way out of the use of  this system, even if advised of the possibility of such damage.

Registered Office: ATL Telecom Ltd, Fountain Lane, St. Mellons Cardiff, CF3 0FB
Registered in Wales Number 4335781

All goods and services supplied by ATL Telecom Ltd are supplied subject to ATL Telecom Ltd standard terms and conditions, available upon request.



More information about the asterisk-dev mailing list