[asterisk-dev] Dialstring injection - security advisory release?
Klaus Darilion
klaus.mailinglists at pernau.at
Fri Feb 12 03:45:02 CST 2010
Am 11.02.2010 23:10, schrieb Chris Mylonas:
> I think this has gone a bit over the top.
> Simply put, just before a Dial application, put the FILTER function - no?
No. It is a generic problem which affects not only Dial and the & character.
klaus
>
>
>
>
>
> On Fri, Feb 12, 2010 at 8:47 AM, Matt Riddell <lists at venturevoip.com
> <mailto:lists at venturevoip.com>> wrote:
>
> On 12/02/10 10:35 AM, Tilghman Lesher wrote:
> >> If it was a feature, surely it would be suggested that the one line
> >> change, defaulting to on in asterisk.conf would be preferred.
> >
> > But it's not a feature, nor is it a bug in the dialplan. Rather,
> it's a bug
> > in certain people's dialplans, which should be fixed. Hence,
> educating
> > people about the potential is the right way forward.
>
> Oh well, few days of pretty intense work coming up to fix a bit under a
> hundred Asterisk boxes :)
>
> Maybe it makes sense for me to just write a patch I maintain out of
> tree.
>
> --
> Cheers,
>
> Matt Riddell
> Managing Director
> _______________________________________________
>
> http://www.venturevoip.com/news.php (Daily Asterisk News)
> http://www.venturevoip.com/exchange.php (Full ITSP Solution)
> http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer)
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
>
>
More information about the asterisk-dev
mailing list