[asterisk-dev] Dialstring injection - security advisory release?
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Feb 15 02:52:54 CST 2010
Am 13.02.2010 16:34, schrieb Benny Amorsen:
> Russell Bryant<russell at digium.com> writes:
>
>> So, there is no way for Dial() to have any idea how the string of
>> arguments it has received was generated, and there is absolutely no way
>> for the pbx core to know anything about how the string of arguments to
>> an application will be interpreted.
>>
>> There really isn't much we can do in the core other than provide all of
>> the necessary tools to allow policy implementations by the dialplan writer.
>
> It is entirely possible to make a programming language where variables
> can be safely passed to functions without security risks inherent in the
> language. This is the case for almost all existing programming
> languages.
I think you have to differ with script languages and other languages.
Script languages which do string substitution before starting the
function are vulnerable, e.g.:
#!/usr/bin/php
<?php
$exten="%";
printf("%s%d\n",$exten,134);
printf($exten."%d\n",134);
?>
results in:
./test.php
%134
%d
regards
klaus
>
> Alas, the language used in extensions.conf does not have this property,
> and it would be difficult to change that and still stay reasonably
> compatible with the current dial plan language.
>
>
> /Benny
>
>
More information about the asterisk-dev
mailing list