[asterisk-dev] Dialstring injection - security advisory release?

Nick Lewis Nick.Lewis at atltelecom.com
Mon Feb 22 08:38:12 CST 2010


>The issue
>that brought this to light is explicitly related to the Dial()
>application and its sub-parsing of arguments. While this is 
>very common, and there are other applications that also use 
>'&' for sub-parsing, none of them are vulnerable to the sort of 
>attacks that Dial() is, and so escaping this character for them 
>is just wasteful and inefficient.

Is it wise to have every function determine its own syntax for arrays?
Perhaps native *dpl support for arrays would be worthwhile

>Given that, I really can't see the justification for a massive,
>system-wide audit of all possible characters that might be able 
>to be mis-used, and a subsequent automatic escaping of them, 
>necessitating significant dialplan changes for users upgrading 
>to a version containing these changes.

Some have suggested a config option to reject all non-alphanumeric
characters (even those that cannot currently be misused - avoiding the
need for an audit). An alternative is to automatically escape all
non-alphanumeric characters. This may require the programmer to manually
escape some literals but seems less drastic.

I accept that such a change may add work for those dialplan programmers
that use 'strange' characters in their extensions but I suspect that it
may reduce the work of most dialplan programmers who do not use
'strange' characters in their extensions and are just wanting to make
their dialplans secure

-- N_L

_____________________________________________________________________
This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Control Centre.
_____________________________________________________________________
Disclaimer of Liability
ATL Telecom Ltd shall not be held liable for any improper or incorrect use of the  information described and/or contained herein and assumes no responsibility for anyones use  of the information. In no event shall ATL Telecom Ltd be liable for any direct, indirect,  incidental, special, exemplary, or consequential damages (including, but not limited to,  procurement or substitute goods or services; loss of use, data, or profits; or business  interruption) however caused and on any theory of liability, whether in contract, strict  liability, or tort (including negligence or otherwise) arising in any way out of the use of  this system, even if advised of the possibility of such damage.

Registered Office: ATL Telecom Ltd, Fountain Lane, St. Mellons Cardiff, CF3 0FB
Registered in Wales Number 4335781

All goods and services supplied by ATL Telecom Ltd are supplied subject to ATL Telecom Ltd standard terms and conditions, available upon request.



More information about the asterisk-dev mailing list