[asterisk-dev] Dialstring injection - security advisory release?

Fri Feb 12 05:25:32 CST 2010

On Fri, Feb 12, 2010 at 10:43:30AM +0100, Klaus Darilion wrote:
> 
> 
> Am 11.02.2010 21:58, schrieb Matt Riddell:
> > On 12/02/10 8:10 AM, Tilghman Lesher wrote:
> >>> It is however reasonable to expect php to protect itself and it does. No
> >>> variable or array element can cause code to be injected in php. I wonder
> >>> whether the php team would issue a best practice document if it was
> >>> found that, when passed to a function, a string containing for example:
> >>>
> >>> mystring");exec("poweroff");
> >>>
> >>> caused the host to poweroff . I am hopeful that they would issue a
> >>> security alert with mitigation advice but that they would also fix php.
> >>
> >> On the contrary, this is more akin to a PHP programmer including input text
> >> from a random user on his page, without defanging any potential
> >> embedded Javascript.  This is not a vulnerability that the PHP language can
> >> fix, but the PHP programmer is responsible for taking action.
> >
> > I'd much rather see '&' being disallowed in a request by default with an
> > option to allow it.
> 
> I wonder why anybody talkes about & only. What about , | / ... Isn't it 
> that all characters which are used by Asterisk commands or functions are 
> potentially harmful? In this case all such characters which are used by 
> Asterisk apps/funcs needs to be escaped.
> 
> For external applications (SQL, exec, AGI ...) the script writer has to 
> take itself.

Goto, GotoIf and GotoIfTime may also use an extension in some cases.
What happens if an extension has a comma in it? ':'?

But this is really about contents that comes from channel drivers,
right? What should JABBER_STATUS do if 'buddy' has a ',' in it?

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir