correct,<br><br>You could write a CGI for apache too that could let someone figure out how to download the root password.<br><br>By default, nobody should trust the data supplied by the outside user. FreeSWITCH cannot do this for you or the limitations would impair desired functionality.<br>
<br>All you have to do is look for a digit sequence in your dial string.<br>Moreover you need to make sure even then that it's safe to pass this digit string to the provider.<br>Here in USA we share the 1 country code with several other countries that could cost 50 cents to a dollar a minute.<br>
So you are not even safe when you made sure it's a number.<br><br><br><br><div class="gmail_quote">On Mon, Feb 22, 2010 at 11:09 AM, Eder Souza <span dir="ltr"><<a href="mailto:ederwander@gmail.com">ederwander@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>i prefer FreeSwitch im left Asterisk </div>
<div> </div>
<div>FreeSwitch is Very Very betther then Asterisk in my option !!</div>
<div> </div>
<div> </div>
<div>my intention is just say dont use (.*), (.+) or combinations of this regular expressions, for me FreeSwitch is the betther !!</div><div><div></div><div class="h5">
<div> </div>
<div> </div>
<div><br> </div>
<div class="gmail_quote">On Mon, Feb 22, 2010 at 1:47 PM, Anthony Minessale <span dir="ltr"><<a href="mailto:anthony.minessale@gmail.com" target="_blank">anthony.minessale@gmail.com</a>></span> wrote:<br>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left: 1ex;" class="gmail_quote">To me it sounds like a way to sound the alarms and bring negative attention.<br><br>For instance, if you were sincerely concerned, you could have told us about your discovery privately first, and we could feature a story on our own site warning people of this danger and reminding them how to compose extension properly.<br>
<br>The posting was instead made like a big public announcement calling our software "imperfect".<br>Yes it is imperfect, It can't properly detect someone being a moron 100% of the time but it sure tries it's darndest.
<div>
<div></div>
<div><br><br><br><br><br>
<div class="gmail_quote">On Mon, Feb 22, 2010 at 10:33 AM, Eder Souza <span dir="ltr"><<a href="mailto:ederwander@gmail.com" target="_blank">ederwander@gmail.com</a>></span> wrote:<br>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
<div>Antony i dont see why ??</div>
<div> </div>
<div> </div>
<div>this is just one alert for all comunity of danger in the use of regular expression (.*) or (.*) ...</div>
<div> </div>
<div>many peoples can make dialplans witch use of this expressions ...</div>
<div>
<div></div>
<div>
<div> </div>
<div> </div>
<div> </div>
<div><br><br> </div>
<div class="gmail_quote">On Mon, Feb 22, 2010 at 1:19 PM, Anthony Minessale <span dir="ltr"><<a href="mailto:anthony.minessale@gmail.com" target="_blank">anthony.minessale@gmail.com</a>></span> wrote:<br>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left: 1ex;" class="gmail_quote">
<p>Please do not use our project to try to make your blog more popular.</p>
<p>Your example requires you to prepare an intentional specific extension on the FreeSWITCH custom made for your attack. It’s like saying if you leave your door wide open at your house and call and tell someone, they can come and rob you at 8:30.</p>
<p>This extension is also vulnerable “by virtue of the stupidity of the composer” </p>
<p><extension name=”please-hack-me”/><br> <condition><br> <action application=”system” data=”${destination_number}”/><br> </condition><br></extension></p>
<p>You should not allow tainted data from outside system to be fed directly into your code. There is a regex system in place to extract legitimate data from the user tainted input and safeguard against this.</p>
<p><br></p>
<p><br></p><br><br>
<div class="gmail_quote">
<div>
<div></div>
<div>On Mon, Feb 22, 2010 at 9:58 AM, Eder Souza <span dir="ltr"><<a href="mailto:ederwander@gmail.com" target="_blank">ederwander@gmail.com</a>></span> wrote:<br></div></div>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
<div>
<div></div>
<div>
<div><a href="http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/" target="_blank">http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/</a></div>
<div> </div>
<div>just for yours informations i write this article my test for injections in freesitch </div>
<div> </div>
<div>version of my tests</div>
<div> </div>
<div><a href="mailto:freeswitch@internal" target="_blank">freeswitch@internal</a>> version<br>FreeSWITCH Version 1.0.5-20100218-0400 (hacked)</div>
<div><a href="mailto:freeswitch@internal" target="_blank">freeswitch@internal</a>><br></div>
<div> </div>
<div> </div>
<div> </div>
<div> </div><br></div></div>_______________________________________________<br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br><br></blockquote></div><br><br clear="all"><br>-- <br>Anthony Minessale II<br><br>FreeSWITCH <a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org/</a><br>
ClueCon <a href="http://www.cluecon.com/" target="_blank">http://www.cluecon.com/</a><br>Twitter: <a href="http://twitter.com/FreeSWITCH_wire" target="_blank">http://twitter.com/FreeSWITCH_wire</a><br><br>AIM: anthm<br><a href="mailto:MSN%3Aanthony_minessale@hotmail.com" target="_blank">MSN:anthony_minessale@hotmail.com</a><br>
GTALK/JABBER/<a href="mailto:PAYPAL%3Aanthony.minessale@gmail.com" target="_blank">PAYPAL:anthony.minessale@gmail.com</a><br>IRC: <a href="http://irc.freenode.net/" target="_blank">irc.freenode.net</a> #freeswitch<br><br>
FreeSWITCH Developer Conference<br><a href="mailto:sip%3A888@conference.freeswitch.org" target="_blank">sip:888@conference.freeswitch.org</a><br><a href="http://iax:guest@conference.freeswitch.org/888" target="_blank">iax:guest@conference.freeswitch.org/888</a><br>
<a href="mailto:googletalk%3Aconf%2B888@conference.freeswitch.org" target="_blank">googletalk:conf+888@conference.freeswitch.org</a><br>pstn:+19193869900<br><br>_______________________________________________<br>FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div></div><br>_______________________________________________<br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br><br></blockquote></div><br><br clear="all"><br>-- <br>Anthony Minessale II<br><br>FreeSWITCH <a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org/</a><br>
ClueCon <a href="http://www.cluecon.com/" target="_blank">http://www.cluecon.com/</a><br>Twitter: <a href="http://twitter.com/FreeSWITCH_wire" target="_blank">http://twitter.com/FreeSWITCH_wire</a><br><br>AIM: anthm<br><a href="mailto:MSN%3Aanthony_minessale@hotmail.com" target="_blank">MSN:anthony_minessale@hotmail.com</a><br>
GTALK/JABBER/<a href="mailto:PAYPAL%3Aanthony.minessale@gmail.com" target="_blank">PAYPAL:anthony.minessale@gmail.com</a><br>IRC: <a href="http://irc.freenode.net/" target="_blank">irc.freenode.net</a> #freeswitch<br><br>
FreeSWITCH Developer Conference<br><a href="mailto:sip%3A888@conference.freeswitch.org" target="_blank">sip:888@conference.freeswitch.org</a><br><a href="http://iax:guest@conference.freeswitch.org/888" target="_blank">iax:guest@conference.freeswitch.org/888</a><br>
<a href="mailto:googletalk%3Aconf%2B888@conference.freeswitch.org" target="_blank">googletalk:conf+888@conference.freeswitch.org</a><br>pstn:+19193869900<br></div></div><br>_______________________________________________<br>
FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br>
</div></div><br>_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Anthony Minessale II<br><br>FreeSWITCH <a href="http://www.freeswitch.org/">http://www.freeswitch.org/</a><br>ClueCon <a href="http://www.cluecon.com/">http://www.cluecon.com/</a><br>
Twitter: <a href="http://twitter.com/FreeSWITCH_wire">http://twitter.com/FreeSWITCH_wire</a><br><br>AIM: anthm<br><a href="mailto:MSN%3Aanthony_minessale@hotmail.com">MSN:anthony_minessale@hotmail.com</a><br>GTALK/JABBER/<a href="mailto:PAYPAL%3Aanthony.minessale@gmail.com">PAYPAL:anthony.minessale@gmail.com</a><br>
IRC: <a href="http://irc.freenode.net">irc.freenode.net</a> #freeswitch<br><br>FreeSWITCH Developer Conference<br><a href="mailto:sip%3A888@conference.freeswitch.org">sip:888@conference.freeswitch.org</a><br><a href="http://iax:guest@conference.freeswitch.org/888">iax:guest@conference.freeswitch.org/888</a><br>
<a href="mailto:googletalk%3Aconf%2B888@conference.freeswitch.org">googletalk:conf+888@conference.freeswitch.org</a><br>pstn:+19193869900<br>