[asterisk-dev] Dialstring injection - security advisory release?
Olle E. Johansson
oej at edvina.net
Fri Feb 12 06:25:48 CST 2010
12 feb 2010 kl. 12.25 skrev Tzafrir Cohen:
> On Fri, Feb 12, 2010 at 10:43:30AM +0100, Klaus Darilion wrote:
>>
>>
>> Am 11.02.2010 21:58, schrieb Matt Riddell:
>>> On 12/02/10 8:10 AM, Tilghman Lesher wrote:
>>>>> It is however reasonable to expect php to protect itself and it does. No
>>>>> variable or array element can cause code to be injected in php. I wonder
>>>>> whether the php team would issue a best practice document if it was
>>>>> found that, when passed to a function, a string containing for example:
>>>>>
>>>>> mystring");exec("poweroff");
>>>>>
>>>>> caused the host to poweroff . I am hopeful that they would issue a
>>>>> security alert with mitigation advice but that they would also fix php.
>>>>
>>>> On the contrary, this is more akin to a PHP programmer including input text
>>>> from a random user on his page, without defanging any potential
>>>> embedded Javascript. This is not a vulnerability that the PHP language can
>>>> fix, but the PHP programmer is responsible for taking action.
>>>
>>> I'd much rather see '&' being disallowed in a request by default with an
>>> option to allow it.
>>
>> I wonder why anybody talkes about & only. What about , | / ... Isn't it
>> that all characters which are used by Asterisk commands or functions are
>> potentially harmful? In this case all such characters which are used by
>> Asterisk apps/funcs needs to be escaped.
>>
>> For external applications (SQL, exec, AGI ...) the script writer has to
>> take itself.
>
> Goto, GotoIf and GotoIfTime may also use an extension in some cases.
> What happens if an extension has a comma in it? ':'?
>
> But this is really about contents that comes from channel drivers,
> right? What should JABBER_STATUS do if 'buddy' has a ',' in it?
I think a common factor is the dialplan matching. If you're not using pattern matching, there is no problem unless you want it to be. If you are using a very open pattern matching rule, you might get into trouble.
/O
More information about the asterisk-dev
mailing list