[Freeswitch-users] Dial String Inject in FreeSwitch
Anthony Minessale
anthony.minessale at gmail.com
Mon Feb 22 08:19:21 PST 2010
Please do not use our project to try to make your blog more popular.
Your example requires you to prepare an intentional specific extension on
the FreeSWITCH custom made for your attack. It’s like saying if you leave
your door wide open at your house and call and tell someone, they can come
and rob you at 8:30.
This extension is also vulnerable “by virtue of the stupidity of the
composer”
<extension name=”please-hack-me”/>
<condition>
<action application=”system” data=”${destination_number}”/>
</condition>
</extension>
You should not allow tainted data from outside system to be fed directly
into your code. There is a regex system in place to extract legitimate data
from the user tainted input and safeguard against this.
On Mon, Feb 22, 2010 at 9:58 AM, Eder Souza <ederwander at gmail.com> wrote:
>
> http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/
>
> just for yours informations i write this article my test for injections in
> freesitch
>
> version of my tests
>
> freeswitch at internal> version
> FreeSWITCH Version 1.0.5-20100218-0400 (hacked)
> freeswitch at internal>
>
>
>
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
--
Anthony Minessale II
FreeSWITCH http://www.freeswitch.org/
ClueCon http://www.cluecon.com/
Twitter: http://twitter.com/FreeSWITCH_wire
AIM: anthm
MSN:anthony_minessale at hotmail.com <MSN%3Aanthony_minessale at hotmail.com>
GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
IRC: irc.freenode.net #freeswitch
FreeSWITCH Developer Conference
sip:888 at conference.freeswitch.org <sip%3A888 at conference.freeswitch.org>
iax:guest at conference.freeswitch.org/888
googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
pstn:+19193869900
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100222/9052a7e0/attachment-0002.html
More information about the FreeSWITCH-users
mailing list