[asterisk-dev] Dialstring injection - security advisory release?

Chris Lee cslee-list at cybericom.co.uk
Thu Feb 11 15:20:19 CST 2010



Nick Lewis wrote:
>> As this is a situation where it is not a security 
>> issue that is fix-it-and-forget-it, but rather is 
>> an ongoing system administration issue that 
>> must be dealt with appropriately in the dialplan.
>>     
>
> I disagree. 
>
> This does need to be fixed and not left to the dialplan programmer. 
>
> The situation in the dialplan language is not the same as the example in
> a previous post regarding sql injection in php. In sql and php the
> escaping mechanisms that separate data and syntax are different in each
> language so it is not reasonable to expect php to protect sql. The
> programmer must do it. 
>
> It is however reasonable to expect php to protect itself and it does. No
> variable or array element can cause code to be injected in php. I wonder
> whether the php team would issue a best practice document if it was
> found that, when passed to a function, a string containing for example:
>
> mystring");exec("poweroff"); 
>
> caused the host to poweroff . I am hopeful that they would issue a
> security alert with mitigation advice but that they would also fix php.
>
> I think that the vunerabilities with arrays in the dialplan language are
> similar to this and represent a bug in the language that is not just a
> result of poor usage. Therefore I feel that action should be taken to
> fix the problem.
>
> -- N_L
>   
+1

If all variables are regarded as variables and not dialplan code then 
there is no problem.
Why leave a potential security hole in the dialplan when it is possible 
to ensure that the dialplan does not act on code like elements of the 
variables.

Chris.



More information about the asterisk-dev mailing list