[Freeswitch-users] Dial String Inject in FreeSwitch

Eder Souza ederwander at gmail.com
Mon Feb 22 08:33:32 PST 2010


Antony i dont see why ??


this is just one alert for all comunity of danger in the use of regular
expression (.*) or (.*) ...

many peoples can make dialplans witch use of this expressions ...






On Mon, Feb 22, 2010 at 1:19 PM, Anthony Minessale <
anthony.minessale at gmail.com> wrote:

> Please do not use our project to try to make your blog more popular.
>
> Your example requires you to prepare an intentional specific extension on
> the FreeSWITCH custom made for your attack. It’s like saying if you leave
> your door wide open at your house and call and tell someone, they can come
> and rob you at 8:30.
>
> This extension is also vulnerable “by virtue of the stupidity of the
> composer”
>
> <extension name=”please-hack-me”/>
>   <condition>
>    <action application=”system” data=”${destination_number}”/>
>   </condition>
> </extension>
>
> You should not allow tainted data from outside system to be fed directly
> into your code. There is a regex system in place to extract legitimate data
> from the user tainted input and safeguard against this.
>
>
>
>
>
>   On Mon, Feb 22, 2010 at 9:58 AM, Eder Souza <ederwander at gmail.com>wrote:
>
>>
>> http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/
>>
>> just for yours informations i write this article my test for injections in
>> freesitch
>>
>> version of my tests
>>
>> freeswitch at internal> version
>> FreeSWITCH Version 1.0.5-20100218-0400 (hacked)
>> freeswitch at internal>
>>
>>
>>
>>
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
>
> --
> Anthony Minessale II
>
> FreeSWITCH http://www.freeswitch.org/
> ClueCon http://www.cluecon.com/
> Twitter: http://twitter.com/FreeSWITCH_wire
>
> AIM: anthm
> MSN:anthony_minessale at hotmail.com <MSN%3Aanthony_minessale at hotmail.com>
> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
> IRC: irc.freenode.net #freeswitch
>
> FreeSWITCH Developer Conference
> sip:888 at conference.freeswitch.org <sip%3A888 at conference.freeswitch.org>
> iax:guest at conference.freeswitch.org/888
> googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
> pstn:+19193869900
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100222/9aa03884/attachment-0002.html 


More information about the FreeSWITCH-users mailing list