[Asterisk-Users] A unique 'click to call' project - Could use
some advice <--one thing I forgot
Michiel van Baak
michiel at vanbaak.info
Fri Feb 17 12:32:01 MST 2006
On 12:14, Fri 17 Feb 06, Colin Anderson wrote:
> In the example I posted previous, there is an obvious gaping security hole,
> it would be trivial for someone to read the querystring and exploit it to
> make free phone calls, spoof caller ID (if you allow the CallerID to be set
> with a QueryString value), etc. You want to make damn sure that the URL is
> not publicly accessible or somehow obsfucate the querystring, or use POST.
>
> In my case, I hard-code the destination phone numbers into the context so
> even if the script gets exploited all they can do is call a single guy.
gheh, I was just about to warn this list about that ;)
What I did was use a seperate context for it and only allow
calls to predifined "agents".
In the OP's case, they can make a context which only allows
the agent phone nr's on one leg of the call :)
Good luck with the setup
--
Michiel van Baak
http://michiel.vanbaak.info
michiel at vanbaak.info
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D
"Why is it drug addicts and computer afficionados are both called users?"
More information about the asterisk-users
mailing list