[asterisk-dev] Dialstring injection - security advisory release?
Matt Riddell
lists at venturevoip.com
Thu Feb 11 17:43:48 CST 2010
On 12/02/10 12:34 PM, Russell Bryant wrote:
> Someone has suggested that we could blacklist the '&' character. Well,
> sure, we could have an option to do that ... but that's really only one
> example of the overall 'dialplan injection' vulnerability that we're
> talking about. What about dialing "1234,,tT" to give yourself transfer
> permissions? There are quite a number of possibilities.
Which was why I suggested an asterisk.conf variable to whitelist
a-z,A-Z,0-9 for pattern matching :)
--
Cheers,
Matt Riddell
Managing Director
_______________________________________________
http://www.venturevoip.com/news.php (Daily Asterisk News)
http://www.venturevoip.com/exchange.php (Full ITSP Solution)
http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer)
More information about the asterisk-dev
mailing list