On Mon, 30 Aug 2010, Vince Vielhaber wrote:
>
> On Mon, 30 Aug 2010, Frank Griffith wrote:
>
>> Ok, so let me see if I understand this now....
>>
>> someone could have done something like this from their SIP phone or asterisk
>> console
>>
>> dial/SIP/my_IP_ADDRESS/01159721232
>>
>> and my dial plan of course let them out because I'm a lazy hack who hasn't
>> yet
>> tightened up on the security. Honestly, I've read TFOT volume 2 many times
>> and
>> never would have known it would be that easy. I am working on tightening up
>> the
>> dial plan now. It's been working for me for several years now but only in the
>> last few weeks did anything go wrong.
>
> Exactly. And once it was discovered, whoever discovered it made it
> a point to tell everybody they know.
>
There is also an issue with ${EXTEN}, this is like an sql injection:
http://www.voip-forum.com/?p=241&preview=true
/Chris
http://www.arnold.se/chris/
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Asterisk-BSD mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-bsd
