[Freeswitch-users] Dial String Inject in FreeSwitch
Anthony Minessale
anthony.minessale at gmail.com
Mon Feb 22 08:47:43 PST 2010
To me it sounds like a way to sound the alarms and bring negative attention.
For instance, if you were sincerely concerned, you could have told us about
your discovery privately first, and we could feature a story on our own site
warning people of this danger and reminding them how to compose extension
properly.
The posting was instead made like a big public announcement calling our
software "imperfect".
Yes it is imperfect, It can't properly detect someone being a moron 100% of
the time but it sure tries it's darndest.
On Mon, Feb 22, 2010 at 10:33 AM, Eder Souza <ederwander at gmail.com> wrote:
> Antony i dont see why ??
>
>
> this is just one alert for all comunity of danger in the use of regular
> expression (.*) or (.*) ...
>
> many peoples can make dialplans witch use of this expressions ...
>
>
>
>
>
>
> On Mon, Feb 22, 2010 at 1:19 PM, Anthony Minessale <
> anthony.minessale at gmail.com> wrote:
>
>> Please do not use our project to try to make your blog more popular.
>>
>> Your example requires you to prepare an intentional specific extension on
>> the FreeSWITCH custom made for your attack. It’s like saying if you leave
>> your door wide open at your house and call and tell someone, they can come
>> and rob you at 8:30.
>>
>> This extension is also vulnerable “by virtue of the stupidity of the
>> composer”
>>
>> <extension name=”please-hack-me”/>
>> <condition>
>> <action application=”system” data=”${destination_number}”/>
>> </condition>
>> </extension>
>>
>> You should not allow tainted data from outside system to be fed directly
>> into your code. There is a regex system in place to extract legitimate data
>> from the user tainted input and safeguard against this.
>>
>>
>>
>>
>>
>> On Mon, Feb 22, 2010 at 9:58 AM, Eder Souza <ederwander at gmail.com>wrote:
>>
>>>
>>> http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/
>>>
>>> just for yours informations i write this article my test for injections
>>> in freesitch
>>>
>>> version of my tests
>>>
>>> freeswitch at internal> version
>>> FreeSWITCH Version 1.0.5-20100218-0400 (hacked)
>>> freeswitch at internal>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>>
>> --
>> Anthony Minessale II
>>
>> FreeSWITCH http://www.freeswitch.org/
>> ClueCon http://www.cluecon.com/
>> Twitter: http://twitter.com/FreeSWITCH_wire
>>
>> AIM: anthm
>> MSN:anthony_minessale at hotmail.com <MSN%3Aanthony_minessale at hotmail.com>
>> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
>> IRC: irc.freenode.net #freeswitch
>>
>> FreeSWITCH Developer Conference
>> sip:888 at conference.freeswitch.org <sip%3A888 at conference.freeswitch.org>
>> iax:guest at conference.freeswitch.org/888
>> googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
>> pstn:+19193869900
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
--
Anthony Minessale II
FreeSWITCH http://www.freeswitch.org/
ClueCon http://www.cluecon.com/
Twitter: http://twitter.com/FreeSWITCH_wire
AIM: anthm
MSN:anthony_minessale at hotmail.com <MSN%3Aanthony_minessale at hotmail.com>
GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
IRC: irc.freenode.net #freeswitch
FreeSWITCH Developer Conference
sip:888 at conference.freeswitch.org <sip%3A888 at conference.freeswitch.org>
iax:guest at conference.freeswitch.org/888
googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
pstn:+19193869900
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100222/187bcb50/attachment-0002.html
More information about the FreeSWITCH-users
mailing list