[Asterisk-Security] Multiple Vulnerabilities in Asterisk 1.2.10 (Fixed in 1.2.11)

Kevin P. Fleming kpfleming at digium.com
Sun Aug 27 07:17:32 MST 2006


----- Duane <duane at e164.org> wrote:
> Actually many would consider it to be a vulnerability in the same way
> they did before languages such as php/perl provided functions like
> escapeshellarg()...

True. However, there is such limited use of user-provided data in the Asterisk dialplan and so few dialplan applications where it can be used to construct filenames that the potential for this problem is very low.

In fact, in this specific scenario, if the administrator is not already controlling the incoming CNAM information, then using the CNAM in the Record() filename is pointless anyway, since the end user can make that CNAM be anything they want, and the resulting files generated by Record() could not be tied back to a specific user/caller anyway.

This is very, very different from a scripting language that is accepting input from an HTML form :-)

-- 
Kevin P. Fleming
Senior Software Engineer
Digium, Inc.



More information about the Asterisk-Security mailing list