To me it sounds like a way to sound the alarms and bring negative attention.<br><br>For instance, if you were sincerely concerned, you could have told us about your discovery privately first, and we could feature a story on our own site warning people of this danger and reminding them how to compose extension properly.<br>
<br>The posting was instead made like a big public announcement calling our software &quot;imperfect&quot;.<br>Yes it is imperfect, It can&#39;t properly detect someone being a moron 100% of the time but it sure tries it&#39;s darndest.<br>
<br><br><br><br><div class="gmail_quote">On Mon, Feb 22, 2010 at 10:33 AM, Eder Souza <span dir="ltr">&lt;<a href="mailto:ederwander@gmail.com">ederwander@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>Antony i dont see why ??</div>
<div> </div>
<div> </div>
<div>this is just one alert for all comunity of danger in the use of regular expression (.*) or (.*) ...</div>
<div> </div>
<div>many peoples can make dialplans witch use of this expressions ...</div><div><div></div><div class="h5">
<div> </div>
<div> </div>
<div> </div>
<div><br><br> </div>
<div class="gmail_quote">On Mon, Feb 22, 2010 at 1:19 PM, Anthony Minessale <span dir="ltr">&lt;<a href="mailto:anthony.minessale@gmail.com" target="_blank">anthony.minessale@gmail.com</a>&gt;</span> wrote:<br>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left: 1ex;" class="gmail_quote">
<p>Please do not use our project to try to make your blog more popular.</p>
<p>Your example requires you to prepare an intentional specific extension on the FreeSWITCH custom made for your attack. It’s like saying if you leave your door wide open at your house and call and tell someone, they can come and rob you at 8:30.</p>


<p>This extension is also vulnerable “by virtue of the stupidity of the composer” </p>
<p>&lt;extension name=”please-hack-me”/&gt;<br>  &lt;condition&gt;<br>   &lt;action application=”system” data=”${destination_number}”/&gt;<br>  &lt;/condition&gt;<br>&lt;/extension&gt;</p>
<p>You should not allow tainted data from outside system to be fed directly into your code. There is a regex system in place to extract legitimate data from the user tainted input and safeguard against this.</p>
<p><br></p>
<p><br></p><br><br>
<div class="gmail_quote">
<div>
<div></div>
<div>On Mon, Feb 22, 2010 at 9:58 AM, Eder Souza <span dir="ltr">&lt;<a href="mailto:ederwander@gmail.com" target="_blank">ederwander@gmail.com</a>&gt;</span> wrote:<br></div></div>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
<div>
<div></div>
<div>
<div><a href="http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/" target="_blank">http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/</a></div>
<div> </div>
<div>just for yours informations i write this article my test for injections in freesitch </div>
<div> </div>
<div>version of my tests</div>
<div> </div>
<div><a href="mailto:freeswitch@internal" target="_blank">freeswitch@internal</a>&gt; version<br>FreeSWITCH Version 1.0.5-20100218-0400 (hacked)</div>
<div><a href="mailto:freeswitch@internal" target="_blank">freeswitch@internal</a>&gt;<br></div>
<div> </div>
<div> </div>
<div> </div>
<div> </div><br></div></div>_______________________________________________<br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>

<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>

<a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br><br></blockquote></div><br><br clear="all"><br>-- <br>Anthony Minessale II<br><br>FreeSWITCH <a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org/</a><br>

ClueCon <a href="http://www.cluecon.com/" target="_blank">http://www.cluecon.com/</a><br>Twitter: <a href="http://twitter.com/FreeSWITCH_wire" target="_blank">http://twitter.com/FreeSWITCH_wire</a><br><br>AIM: anthm<br><a href="mailto:MSN%3Aanthony_minessale@hotmail.com" target="_blank">MSN:anthony_minessale@hotmail.com</a><br>

GTALK/JABBER/<a href="mailto:PAYPAL%3Aanthony.minessale@gmail.com" target="_blank">PAYPAL:anthony.minessale@gmail.com</a><br>IRC: <a href="http://irc.freenode.net/" target="_blank">irc.freenode.net</a> #freeswitch<br><br>

FreeSWITCH Developer Conference<br><a href="mailto:sip%3A888@conference.freeswitch.org" target="_blank">sip:888@conference.freeswitch.org</a><br><a href="http://iax:guest@conference.freeswitch.org/888" target="_blank">iax:guest@conference.freeswitch.org/888</a><br>

<a href="mailto:googletalk%3Aconf%2B888@conference.freeswitch.org" target="_blank">googletalk:conf+888@conference.freeswitch.org</a><br>pstn:+19193869900<br><br>_______________________________________________<br>FreeSWITCH-users mailing list<br>

<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>

UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>

<br></blockquote></div><br>
</div></div><br>_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Anthony Minessale II<br><br>FreeSWITCH <a href="http://www.freeswitch.org/">http://www.freeswitch.org/</a><br>ClueCon <a href="http://www.cluecon.com/">http://www.cluecon.com/</a><br>
Twitter: <a href="http://twitter.com/FreeSWITCH_wire">http://twitter.com/FreeSWITCH_wire</a><br><br>AIM: anthm<br><a href="mailto:MSN%3Aanthony_minessale@hotmail.com">MSN:anthony_minessale@hotmail.com</a><br>GTALK/JABBER/<a href="mailto:PAYPAL%3Aanthony.minessale@gmail.com">PAYPAL:anthony.minessale@gmail.com</a><br>
IRC: <a href="http://irc.freenode.net">irc.freenode.net</a> #freeswitch<br><br>FreeSWITCH Developer Conference<br><a href="mailto:sip%3A888@conference.freeswitch.org">sip:888@conference.freeswitch.org</a><br><a href="http://iax:guest@conference.freeswitch.org/888">iax:guest@conference.freeswitch.org/888</a><br>
<a href="mailto:googletalk%3Aconf%2B888@conference.freeswitch.org">googletalk:conf+888@conference.freeswitch.org</a><br>pstn:+19193869900<br>