[asterisk-dev] Dialstring injection - security advisory release?

Tzafrir Cohen tzafrir.cohen at xorcom.com
Fri Feb 12 05:27:42 CST 2010 

On Thu, Feb 11, 2010 at 03:35:40PM -0600, Tilghman Lesher wrote:
> On Thursday 11 February 2010 14:58:49 Matt Riddell wrote:
> > On 12/02/10 8:10 AM, Tilghman Lesher wrote:
> > >> It is however reasonable to expect php to protect itself and it does. No
> > >> variable or array element can cause code to be injected in php. I wonder
> > >> whether the php team would issue a best practice document if it was
> > >> found that, when passed to a function, a string containing for example:
> > >>
> > >> mystring");exec("poweroff");
> > >>
> > >> caused the host to poweroff . I am hopeful that they would issue a
> > >> security alert with mitigation advice but that they would also fix php.
> > >
> > > On the contrary, this is more akin to a PHP programmer including input
> > > text from a random user on his page, without defanging any potential
> > > embedded Javascript.  This is not a vulnerability that the PHP language
> > > can fix, but the PHP programmer is responsible for taking action.
> >

> > I'd much rather see '&' being disallowed in a request by default with an
> > option to allow it.
> 
> That violates the SIP specification, and we'd get reamed for it.  I know this
> doesn't concern you, as long as it prevents you from having to do any
> work.

But do we actually do the right thing with a 'bad' "extension" today?

> 
> > The problem is recoding thousands of lines of dialplan code.
> >
> > The other option would be a switch in asterisk.conf which changes the
> > wildcard to only match a-z, A-Z, 0-9.
> 
> That's a change in behavior, which is strictly forbidden by our release
> policy.  It has the potential to break thousands of dialplans with no warning.
> I can't take responsibility for that, and nobody else will, so it's off the
> table.

Is the behaviour of Asterisk clearly defined in those cases?

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-dev mailing list