[asterisk-dev] Dialstring injection - security advisory release?

Nick Lewis Nick.Lewis at atltelecom.com
Mon Feb 22 04:41:02 CST 2010 

>> mystring");exec("poweroff");

> On the contrary, this is more akin to a PHP 
> programmer including input text
> from a random user on his page, without 
> defanging any potential
> embedded Javascript.  This is not a 
> vulnerability that the PHP language can
> fix, but the PHP programmer is responsible 
> for taking action.

Again this is bringing in a second language. I stated that it was up to
the programmer to deal with SQL injection in php so I agree that it is
up to the programmer to deal with Javascript injection in php.

My point is that it is not up to the programmer to deal with php
injection in php. This is up to the php language designer. Similarly I
think it is up to the dialplan language designer to deal with dialplan
injection in the dialplan language.

If the pbx were to escape all the characters that are part of the syntax
of the dialplan language as soon as the variable containing them was
passed from a channel then the language would be as secure as other
languages

-- N_L
 

_____________________________________________________________________
This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Control Centre.
_____________________________________________________________________
Disclaimer of Liability
ATL Telecom Ltd shall not be held liable for any improper or incorrect use of the  information described and/or contained herein and assumes no responsibility for anyones use  of the information. In no event shall ATL Telecom Ltd be liable for any direct, indirect,  incidental, special, exemplary, or consequential damages (including, but not limited to,  procurement or substitute goods or services; loss of use, data, or profits; or business  interruption) however caused and on any theory of liability, whether in contract, strict  liability, or tort (including negligence or otherwise) arising in any way out of the use of  this system, even if advised of the possibility of such damage.

Registered Office: ATL Telecom Ltd, Fountain Lane, St. Mellons Cardiff, CF3 0FB
Registered in Wales Number 4335781

All goods and services supplied by ATL Telecom Ltd are supplied subject to ATL Telecom Ltd standard terms and conditions, available upon request.

More information about the asterisk-dev mailing list