[Freeswitch-users] Dial String Inject in FreeSwitch

Eder Souza ederwander at gmail.com
Mon Feb 22 09:45:49 PST 2010


Link Down :-)

i thaks if somebody create one wiki witch this alert


Eng Eder de Souza

On Mon, Feb 22, 2010 at 2:39 PM, Eder Souza <ederwander at gmail.com> wrote:

> yeah can somebody make one wiki for this alert??
>
> im make down my link page now to prevent thes problems !!
>
> OK
>
>   On Mon, Feb 22, 2010 at 2:26 PM, Giovanni Maruzzelli <
> gmaruzz at celliax.org> wrote:
>
>> Eder,
>>
>> If you fear people can do such *really stupid* things, and this is
>> nice from you, please add something to the wiki, for example a
>> paragraph in the dialplan page, or whatever, explaining why this is a
>> stupid thing.
>>
>> If you publish a page in your blog, that look like a security alert,
>> or that you found a security flaw in FS, people will rightly think
>> that you are just looking for some attention in the search engines,
>> and to bring viewers to your page.
>>
>> Also, in doing so, you push non technical people to think there is a
>> security problem in FS, and this is really a big damage to the
>> project. Because it is not true, it is just how it look like in your
>> page.
>>
>> So, delete that page, and add something to the wiki, if you care about
>> telling people not to do stupid things.
>>
>> But please, be aware that your page, the page you published, is really
>> something that do a damage and put a bad light on a project, and there
>> is no one reason for doing this.
>>
>> -giovanni
>>
>>
>>
>> On Mon, Feb 22, 2010 at 6:09 PM, Eder Souza <ederwander at gmail.com> wrote:
>> > i prefer FreeSwitch im left Asterisk
>> >
>> > FreeSwitch is Very Very betther then Asterisk in my option !!
>> >
>> >
>> > my intention is just say dont use (.*), (.+)  or combinations of this
>> > regular expressions, for me FreeSwitch is the betther  !!
>> >
>> >
>> >
>> > On Mon, Feb 22, 2010 at 1:47 PM, Anthony Minessale
>> > <anthony.minessale at gmail.com> wrote:
>> >>
>> >> To me it sounds like a way to sound the alarms and bring negative
>> >> attention.
>> >>
>> >> For instance, if you were sincerely concerned, you could have told us
>> >> about your discovery privately first, and we could feature a story on
>> our
>> >> own site warning people of this danger and reminding them how to
>> compose
>> >> extension properly.
>> >>
>> >> The posting was instead made like a big public announcement calling our
>> >> software "imperfect".
>> >> Yes it is imperfect, It can't properly detect someone being a moron
>> 100%
>> >> of the time but it sure tries it's darndest.
>> >>
>> >>
>> >>
>> >>
>> >> On Mon, Feb 22, 2010 at 10:33 AM, Eder Souza <ederwander at gmail.com>
>> wrote:
>> >>>
>> >>> Antony i dont see why ??
>> >>>
>> >>>
>> >>> this is just one alert for all comunity of danger in the use of
>> regular
>> >>> expression (.*) or (.*) ...
>> >>>
>> >>> many peoples can make dialplans witch use of this expressions ...
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On Mon, Feb 22, 2010 at 1:19 PM, Anthony Minessale
>> >>> <anthony.minessale at gmail.com> wrote:
>> >>>>
>> >>>> Please do not use our project to try to make your blog more popular.
>> >>>>
>> >>>> Your example requires you to prepare an intentional specific
>> extension
>> >>>> on the FreeSWITCH custom made for your attack. It’s like saying if
>> you leave
>> >>>> your door wide open at your house and call and tell someone, they can
>> come
>> >>>> and rob you at 8:30.
>> >>>>
>> >>>> This extension is also vulnerable “by virtue of the stupidity of the
>> >>>> composer”
>> >>>>
>> >>>> <extension name=”please-hack-me”/>
>> >>>>   <condition>
>> >>>>    <action application=”system” data=”${destination_number}”/>
>> >>>>   </condition>
>> >>>> </extension>
>> >>>>
>> >>>> You should not allow tainted data from outside system to be fed
>> directly
>> >>>> into your code. There is a regex system in place to extract
>> legitimate data
>> >>>> from the user tainted input and safeguard against this.
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Mon, Feb 22, 2010 at 9:58 AM, Eder Souza <ederwander at gmail.com>
>> >>>> wrote:
>> >>>>>
>> >>>>>
>> >>>>>
>> http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/
>> >>>>>
>> >>>>> just for yours informations i write this article my test for
>> injections
>> >>>>> in freesitch
>> >>>>>
>> >>>>> version of my tests
>> >>>>>
>> >>>>> freeswitch at internal> version
>> >>>>> FreeSWITCH Version 1.0.5-20100218-0400 (hacked)
>> >>>>> freeswitch at internal>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> FreeSWITCH-users mailing list
>> >>>>> FreeSWITCH-users at lists.freeswitch.org
>> >>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >>>>>
>> >>>>> UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >>>>> http://www.freeswitch.org
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Anthony Minessale II
>> >>>>
>> >>>> FreeSWITCH http://www.freeswitch.org/
>> >>>> ClueCon http://www.cluecon.com/
>> >>>> Twitter: http://twitter.com/FreeSWITCH_wire
>> >>>>
>> >>>> AIM: anthm
>> >>>> MSN:anthony_minessale at hotmail.com<MSN%3Aanthony_minessale at hotmail.com>
>> >>>> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
>> >>>> IRC: irc.freenode.net #freeswitch
>> >>>>
>> >>>> FreeSWITCH Developer Conference
>> >>>> sip:888 at conference.freeswitch.org<sip%3A888 at conference.freeswitch.org>
>> >>>> iax:guest at conference.freeswitch.org/888
>> >>>> googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
>> >>>> pstn:+19193869900
>> >>>>
>> >>>> _______________________________________________
>> >>>> FreeSWITCH-users mailing list
>> >>>> FreeSWITCH-users at lists.freeswitch.org
>> >>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >>>> UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >>>> http://www.freeswitch.org
>> >>>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> FreeSWITCH-users mailing list
>> >>> FreeSWITCH-users at lists.freeswitch.org
>> >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >>> UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >>> http://www.freeswitch.org
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Anthony Minessale II
>> >>
>> >> FreeSWITCH http://www.freeswitch.org/
>> >> ClueCon http://www.cluecon.com/
>> >> Twitter: http://twitter.com/FreeSWITCH_wire
>> >>
>> >> AIM: anthm
>> >> MSN:anthony_minessale at hotmail.com<MSN%3Aanthony_minessale at hotmail.com>
>> >> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
>> >> IRC: irc.freenode.net #freeswitch
>> >>
>> >> FreeSWITCH Developer Conference
>> >> sip:888 at conference.freeswitch.org<sip%3A888 at conference.freeswitch.org>
>> >> iax:guest at conference.freeswitch.org/888
>> >> googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
>> >> pstn:+19193869900
>> >>
>> >> _______________________________________________
>> >> FreeSWITCH-users mailing list
>> >> FreeSWITCH-users at lists.freeswitch.org
>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >> UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >> http://www.freeswitch.org
>> >>
>> >
>> >
>> > _______________________________________________
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>> >
>> >
>>
>>
>>
>> --
>> Sincerely,
>>
>> Giovanni Maruzzelli
>> Cell : +39-347-2665618
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100222/a44409e9/attachment-0002.html 


More information about the FreeSWITCH-users mailing list