[asterisk-dev] Dialstring injection - security advisory release?
Tilghman Lesher
tlesher at digium.com
Thu Feb 11 13:10:13 CST 2010
On Thursday 11 February 2010 10:48:06 Nick Lewis wrote:
> > As this is a situation where it is not a security
> > issue that is fix-it-and-forget-it, but rather is
> > an ongoing system administration issue that
> > must be dealt with appropriately in the dialplan.
>
> I disagree.
>
> This does need to be fixed and not left to the dialplan programmer.
>
> The situation in the dialplan language is not the same as the example in
> a previous post regarding sql injection in php. In sql and php the
> escaping mechanisms that separate data and syntax are different in each
> language so it is not reasonable to expect php to protect sql. The
> programmer must do it.
>
> It is however reasonable to expect php to protect itself and it does. No
> variable or array element can cause code to be injected in php. I wonder
> whether the php team would issue a best practice document if it was
> found that, when passed to a function, a string containing for example:
>
> mystring");exec("poweroff");
>
> caused the host to poweroff . I am hopeful that they would issue a
> security alert with mitigation advice but that they would also fix php.
On the contrary, this is more akin to a PHP programmer including input text
from a random user on his page, without defanging any potential
embedded Javascript. This is not a vulnerability that the PHP language can
fix, but the PHP programmer is responsible for taking action.
--
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org
More information about the asterisk-dev
mailing list