[Asterisk-Security] Multiple Vulnerabilities in Asterisk
1.2.10 (Fixed in 1.2.11)
Duane
duane at e164.org
Sun Aug 27 07:00:58 MST 2006
On Sun, 2006-08-27 at 08:56 -0500, Kevin P. Fleming wrote:
> No, it is not. The input to app_record comes from the _administrator_, not from a user. The administrator has complete and total control over what is fed to app_record, and if they do something silly like allow untrusted data from a user to be part of that input, then they can expect to be vulnerable.
But at the same time asterisk could use a built in sanity checker to
escape various characters etc... ie protecting people from themselves...
--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
More information about the Asterisk-Security
mailing list