[Freeswitch-users] Dial String Inject in FreeSwitch
Eder Souza
ederwander at gmail.com
Mon Feb 22 09:09:41 PST 2010
i prefer FreeSwitch im left Asterisk
FreeSwitch is Very Very betther then Asterisk in my option !!
my intention is just say dont use (.*), (.+) or combinations of this
regular expressions, for me FreeSwitch is the betther !!
On Mon, Feb 22, 2010 at 1:47 PM, Anthony Minessale <
anthony.minessale at gmail.com> wrote:
> To me it sounds like a way to sound the alarms and bring negative
> attention.
>
> For instance, if you were sincerely concerned, you could have told us about
> your discovery privately first, and we could feature a story on our own site
> warning people of this danger and reminding them how to compose extension
> properly.
>
> The posting was instead made like a big public announcement calling our
> software "imperfect".
> Yes it is imperfect, It can't properly detect someone being a moron 100% of
> the time but it sure tries it's darndest.
>
>
>
>
>
> On Mon, Feb 22, 2010 at 10:33 AM, Eder Souza <ederwander at gmail.com> wrote:
>
>> Antony i dont see why ??
>>
>>
>> this is just one alert for all comunity of danger in the use of regular
>> expression (.*) or (.*) ...
>>
>> many peoples can make dialplans witch use of this expressions ...
>>
>>
>>
>>
>>
>>
>> On Mon, Feb 22, 2010 at 1:19 PM, Anthony Minessale <
>> anthony.minessale at gmail.com> wrote:
>>
>>> Please do not use our project to try to make your blog more popular.
>>>
>>> Your example requires you to prepare an intentional specific extension on
>>> the FreeSWITCH custom made for your attack. It’s like saying if you leave
>>> your door wide open at your house and call and tell someone, they can come
>>> and rob you at 8:30.
>>>
>>> This extension is also vulnerable “by virtue of the stupidity of the
>>> composer”
>>>
>>> <extension name=”please-hack-me”/>
>>> <condition>
>>> <action application=”system” data=”${destination_number}”/>
>>> </condition>
>>> </extension>
>>>
>>> You should not allow tainted data from outside system to be fed directly
>>> into your code. There is a regex system in place to extract legitimate data
>>> from the user tainted input and safeguard against this.
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Feb 22, 2010 at 9:58 AM, Eder Souza <ederwander at gmail.com>wrote:
>>>
>>>>
>>>> http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/
>>>>
>>>> just for yours informations i write this article my test for injections
>>>> in freesitch
>>>>
>>>> version of my tests
>>>>
>>>> freeswitch at internal> version
>>>> FreeSWITCH Version 1.0.5-20100218-0400 (hacked)
>>>> freeswitch at internal>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>>
>>> --
>>> Anthony Minessale II
>>>
>>> FreeSWITCH http://www.freeswitch.org/
>>> ClueCon http://www.cluecon.com/
>>> Twitter: http://twitter.com/FreeSWITCH_wire
>>>
>>> AIM: anthm
>>> MSN:anthony_minessale at hotmail.com <MSN%3Aanthony_minessale at hotmail.com>
>>> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
>>> IRC: irc.freenode.net #freeswitch
>>>
>>> FreeSWITCH Developer Conference
>>> sip:888 at conference.freeswitch.org <sip%3A888 at conference.freeswitch.org>
>>> iax:guest at conference.freeswitch.org/888
>>> googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
>>> pstn:+19193869900
>>>
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
>
> --
> Anthony Minessale II
>
> FreeSWITCH http://www.freeswitch.org/
> ClueCon http://www.cluecon.com/
> Twitter: http://twitter.com/FreeSWITCH_wire
>
> AIM: anthm
> MSN:anthony_minessale at hotmail.com <MSN%3Aanthony_minessale at hotmail.com>
> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
> IRC: irc.freenode.net #freeswitch
>
> FreeSWITCH Developer Conference
> sip:888 at conference.freeswitch.org <sip%3A888 at conference.freeswitch.org>
> iax:guest at conference.freeswitch.org/888
> googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
> pstn:+19193869900
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100222/ec4f6533/attachment-0002.html
More information about the FreeSWITCH-users
mailing list