[asterisk-users] Important security alert: update your dialplans now!

Tommy Botten Jensen tommy.jensen at freecode.no
Tue Feb 16 16:45:53 CST 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I have tried to replicate this, but with no luck. If I use a SIP-client
that supports '&', I still get a reject from asterisk.

I am  writing a filter for lua (pbx_lua), but it's a bit hard when I
cannot reproduce and test this. I've tried with both 1.6.1-series and
1.6.2. Any ideas?

Thanks,

Tommy

Landy Landy skrev:
> I have this:
> 
> [menu]
> exten => _X.,1,answer()
> exten => _X.,2,wait(1)
> exten => _X.,n,GoTo(ivr,s,1)
> 
> 
> [default]
> include => record
> include => incoming
> include => menu
> 
> [local-dial]
> exten => _1XX,1,Verbose("..... In local-dial context, dialing exten: ${EXTEN} ....."
> exten => _1XX,2,Dial(SIP/${EXTEN},20,tTmkKhHWw)
> exten => _1XX,n,voicemail(${EXTEN},u)
> exten => _1XX,n,Hangup()
> include => agents
> include => queue
> include => local-iax
> include => voicemail
> include => timeofday
> include => parkedcalls
> include => pickup
> include => to_client
> include => test-agi
> 
> include => menu
> 
> that goes to an ivr. Can this be a security bridge?
> 
> 
> 
> --- On Mon, 2/15/10, Tony Mountifield <tony at softins.clara.co.uk> wrote:
> 
>> From: Tony Mountifield <tony at softins.clara.co.uk>
>> Subject: Re: [asterisk-users] Important security alert: update your dialplans now!
>> To: asterisk-users at lists.digium.com
>> Date: Monday, February 15, 2010, 11:58 AM
>> In article <699ee941002150033t7c6e1be5xdba76cb0f68d5c39 at mail.gmail.com>,
>> Lenz Emilitri <lenz.loway at gmail.com>
>> wrote:
>>> -=-=-=-=-=-
>>> -=-=-=-=-=-
>>>
>>> Or one could simply rewrite to:
>>>
>>> [incoming-from-voip]
>>> exten =>
>> XXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
>>> exten =>
>> XXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
>>> exten =>
>> XXXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
>>> exten =>
>> XXXXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
>>> [incoming-from-voip-old]
>>> exten => _X., 1, dial(SIP/${EXTEN})
>>>
>>> To avoid extensive rewriting and fix the current
>> issue.
>>> l.
>> Don't forget you still need the underscore to make X
>> magic:
>>
>> exten =>
>> _XXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkt7ICEACgkQ573V05EH/pZ9ZwCg0VOERk24lbfpEiJLCwso5h0X
UokAoKMlr8lEHBYD95YEiWNvVBF7mWbj
=t0Wq
-----END PGP SIGNATURE-----

More information about the asterisk-users mailing list