[asterisk-dev] Dialstring injection - security advisory release?
Leif Madsen
leif.madsen at asteriskdocs.org
Tue Feb 23 08:37:21 CST 2010
Kevin P. Fleming wrote:
> Given that, I really can't see the justification for a massive,
> system-wide audit of all possible characters that might be able to be
> mis-used, and a subsequent automatic escaping of them, necessitating
> significant dialplan changes for users upgrading to a version containing
> these changes.
It also seems like you need to know a lot about someones dialplan before being
able to use this kind of attack. If you're not allowing guest access to your
system (and subsequently not allowing guests to dial out from your system), then
you need to be authenticated.
If someone is able to authenticate to your system who shouldn't be, then that's
another entire issue. If someone who is supposed to authenticate to you and is
also sending an attack such as this, then perhaps you have bigger issues to deal
with.
While the possibility for "bad things" to happen, it feels as though a practical
attack of this nature is a remote possibility.
Leif Madsen.
More information about the asterisk-dev
mailing list