[asterisk-dev] Dialstring injection - security advisory release?

Leif Madsen leif.madsen at asteriskdocs.org
Tue Feb 23 08:37:21 CST 2010


Kevin P. Fleming wrote:
> Given that, I really can't see the justification for a massive,
> system-wide audit of all possible characters that might be able to be
> mis-used, and a subsequent automatic escaping of them, necessitating
> significant dialplan changes for users upgrading to a version containing
> these changes.

It also seems like you need to know a lot about someones dialplan before being 
able to use this kind of attack. If you're not allowing guest access to your 
system (and subsequently not allowing guests to dial out from your system), then 
you need to be authenticated.

If someone is able to authenticate to your system who shouldn't be, then that's 
another entire issue. If someone who is supposed to authenticate to you and is 
also sending an attack such as this, then perhaps you have bigger issues to deal 
with.

While the possibility for "bad things" to happen, it feels as though a practical 
attack of this nature is a remote possibility.

Leif Madsen.



More information about the asterisk-dev mailing list