[asterisk-dev] Dialstring injection - security advisory release?

[Matt Riddell]

On 12/02/10 11:10 AM, Chris Mylonas wrote:
> I think this has gone a bit over the top.
> Simply put, just before a Dial application, put the FILTER function - no?

Yep, but you'll need to check every usage of ${EXTEN} etc to check what 
you're doing.

The hardest part is actually the oldest bits of code.

Basically anything you previously allowed a guest to do is the highest 
risk (i.e. allowing calls to people on your platform just by using 
SIP:234 at host).

It's not like it's a complicated change, just one that will have to be 
done on lots of machines.

I 100% agree that it's nothing new, just annoying to have to log in to 
every machine you've ever installed and check everything off.

If you have 5 boxes to check, with 10 extensions, sure it's a pretty 
simple change.  As the number of boxes, AGIs, realtime code increase, 
the workload increases.

It's basically just a matter of looking at how long it would take to 
apply a patch vs how long it would take to rejig extensions, priorities 
etc for all systems.

I agree that the best solution is to use FILTER before every dial, agi 
etc, but the concern is if someone were to start trying this immediately.

A quick patch could sort it out while you're going through all your systems.

Don't get me wrong I'm not pissed at anyone else for the dialplan 
rewrite (it's obviously the better option), just pissed at myself for 
not having used FILTER from the start :)

-- 
Cheers,

Matt Riddell
Managing Director
_______________________________________________

http://www.venturevoip.com/news.php (Daily Asterisk News)
http://www.venturevoip.com/exchange.php (Full ITSP Solution)
http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer)