<p>yeah can somebody make one wiki for this alert??</p>
<div> </div>
<div>im make down my link page now to prevent thes problems !!</div>
<div> </div>
<div>OK<br><br></div>
<div class="gmail_quote">On Mon, Feb 22, 2010 at 2:26 PM, Giovanni Maruzzelli <span dir="ltr"><<a href="mailto:gmaruzz@celliax.org">gmaruzz@celliax.org</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Eder,<br><br>If you fear people can do such *really stupid* things, and this is<br>nice from you, please add something to the wiki, for example a<br>
paragraph in the dialplan page, or whatever, explaining why this is a<br>stupid thing.<br><br>If you publish a page in your blog, that look like a security alert,<br>or that you found a security flaw in FS, people will rightly think<br>
that you are just looking for some attention in the search engines,<br>and to bring viewers to your page.<br><br>Also, in doing so, you push non technical people to think there is a<br>security problem in FS, and this is really a big damage to the<br>
project. Because it is not true, it is just how it look like in your<br>page.<br><br>So, delete that page, and add something to the wiki, if you care about<br>telling people not to do stupid things.<br><br>But please, be aware that your page, the page you published, is really<br>
something that do a damage and put a bad light on a project, and there<br>is no one reason for doing this.<br><br>-giovanni<br>
<div>
<div></div>
<div class="h5"><br><br><br>On Mon, Feb 22, 2010 at 6:09 PM, Eder Souza <<a href="mailto:ederwander@gmail.com">ederwander@gmail.com</a>> wrote:<br>> i prefer FreeSwitch im left Asterisk<br>><br>> FreeSwitch is Very Very betther then Asterisk in my option !!<br>
><br>><br>> my intention is just say dont use (.*), (.+) or combinations of this<br>> regular expressions, for me FreeSwitch is the betther !!<br>><br>><br>><br>> On Mon, Feb 22, 2010 at 1:47 PM, Anthony Minessale<br>
> <<a href="mailto:anthony.minessale@gmail.com">anthony.minessale@gmail.com</a>> wrote:<br>>><br>>> To me it sounds like a way to sound the alarms and bring negative<br>>> attention.<br>>><br>
>> For instance, if you were sincerely concerned, you could have told us<br>>> about your discovery privately first, and we could feature a story on our<br>>> own site warning people of this danger and reminding them how to compose<br>
>> extension properly.<br>>><br>>> The posting was instead made like a big public announcement calling our<br>>> software "imperfect".<br>>> Yes it is imperfect, It can't properly detect someone being a moron 100%<br>
>> of the time but it sure tries it's darndest.<br>>><br>>><br>>><br>>><br>>> On Mon, Feb 22, 2010 at 10:33 AM, Eder Souza <<a href="mailto:ederwander@gmail.com">ederwander@gmail.com</a>> wrote:<br>
>>><br>>>> Antony i dont see why ??<br>>>><br>>>><br>>>> this is just one alert for all comunity of danger in the use of regular<br>>>> expression (.*) or (.*) ...<br>
>>><br>>>> many peoples can make dialplans witch use of this expressions ...<br>>>><br>>>><br>>>><br>>>><br>>>><br>>>> On Mon, Feb 22, 2010 at 1:19 PM, Anthony Minessale<br>
>>> <<a href="mailto:anthony.minessale@gmail.com">anthony.minessale@gmail.com</a>> wrote:<br>>>>><br>>>>> Please do not use our project to try to make your blog more popular.<br>>>>><br>
>>>> Your example requires you to prepare an intentional specific extension<br>>>>> on the FreeSWITCH custom made for your attack. It’s like saying if you leave<br>>>>> your door wide open at your house and call and tell someone, they can come<br>
>>>> and rob you at 8:30.<br>>>>><br>>>>> This extension is also vulnerable “by virtue of the stupidity of the<br>>>>> composer”<br>>>>><br>>>>> <extension name=”please-hack-me”/><br>
>>>> <condition><br>>>>> <action application=”system” data=”${destination_number}”/><br>>>>> </condition><br>>>>> </extension><br>>>>><br>
>>>> You should not allow tainted data from outside system to be fed directly<br>>>>> into your code. There is a regex system in place to extract legitimate data<br>>>>> from the user tainted input and safeguard against this.<br>
>>>><br>>>>><br>>>>><br>>>>> On Mon, Feb 22, 2010 at 9:58 AM, Eder Souza <<a href="mailto:ederwander@gmail.com">ederwander@gmail.com</a>><br>>>>> wrote:<br>
>>>>><br>>>>>><br>>>>>> <a href="http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/" target="_blank">http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/</a><br>
>>>>><br>>>>>> just for yours informations i write this article my test for injections<br>>>>>> in freesitch<br>>>>>><br>>>>>> version of my tests<br>
>>>>><br>>>>>> freeswitch@internal> version<br>>>>>> FreeSWITCH Version 1.0.5-20100218-0400 (hacked)<br>>>>>> freeswitch@internal><br>>>>>><br>
>>>>><br>>>>>><br>>>>>><br>>>>>> _______________________________________________<br>>>>>> FreeSWITCH-users mailing list<br>>>>>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
>>>>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>>>>>><br>>>>>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
>>>>> <a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>>>>>><br>>>>><br>>>>><br>>>>><br>>>>> --<br>>>>> Anthony Minessale II<br>
>>>><br>>>>> FreeSWITCH <a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org/</a><br>>>>> ClueCon <a href="http://www.cluecon.com/" target="_blank">http://www.cluecon.com/</a><br>
>>>> Twitter: <a href="http://twitter.com/FreeSWITCH_wire" target="_blank">http://twitter.com/FreeSWITCH_wire</a><br>>>>><br>>>>> AIM: anthm<br>>>>> <a href="mailto:MSN%3Aanthony_minessale@hotmail.com">MSN:anthony_minessale@hotmail.com</a><br>
>>>> GTALK/JABBER/<a href="mailto:PAYPAL%3Aanthony.minessale@gmail.com">PAYPAL:anthony.minessale@gmail.com</a><br>>>>> IRC: <a href="http://irc.freenode.net/" target="_blank">irc.freenode.net</a> #freeswitch<br>
>>>><br>>>>> FreeSWITCH Developer Conference<br>>>>> <a href="mailto:sip%3A888@conference.freeswitch.org">sip:888@conference.freeswitch.org</a><br>>>>> <a href="http://iax:guest@conference.freeswitch.org/888" target="_blank">iax:guest@conference.freeswitch.org/888</a><br>
>>>> <a href="mailto:googletalk%3Aconf%2B888@conference.freeswitch.org">googletalk:conf+888@conference.freeswitch.org</a><br>>>>> pstn:+19193869900<br>>>>><br>>>>> _______________________________________________<br>
>>>> FreeSWITCH-users mailing list<br>>>>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>>>>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
>>>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>>>>> <a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>
>>>><br>>>><br>>>><br>>>> _______________________________________________<br>>>> FreeSWITCH-users mailing list<br>>>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
>>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>>>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
>>> <a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>>>><br>>><br>>><br>>><br>>> --<br>>> Anthony Minessale II<br>>><br>>> FreeSWITCH <a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org/</a><br>
>> ClueCon <a href="http://www.cluecon.com/" target="_blank">http://www.cluecon.com/</a><br>>> Twitter: <a href="http://twitter.com/FreeSWITCH_wire" target="_blank">http://twitter.com/FreeSWITCH_wire</a><br>>><br>
>> AIM: anthm<br>>> <a href="mailto:MSN%3Aanthony_minessale@hotmail.com">MSN:anthony_minessale@hotmail.com</a><br>>> GTALK/JABBER/<a href="mailto:PAYPAL%3Aanthony.minessale@gmail.com">PAYPAL:anthony.minessale@gmail.com</a><br>
>> IRC: <a href="http://irc.freenode.net/" target="_blank">irc.freenode.net</a> #freeswitch<br>>><br>>> FreeSWITCH Developer Conference<br>>> <a href="mailto:sip%3A888@conference.freeswitch.org">sip:888@conference.freeswitch.org</a><br>
>> <a href="http://iax:guest@conference.freeswitch.org/888" target="_blank">iax:guest@conference.freeswitch.org/888</a><br>>> <a href="mailto:googletalk%3Aconf%2B888@conference.freeswitch.org">googletalk:conf+888@conference.freeswitch.org</a><br>
>> pstn:+19193869900<br>>><br>>> _______________________________________________<br>>> FreeSWITCH-users mailing list<br>>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
>> <a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>>><br>><br>><br>> _______________________________________________<br>> FreeSWITCH-users mailing list<br>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
> <a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>><br>><br><br><br><br>--<br></div></div>Sincerely,<br><font color="#888888"><br>Giovanni Maruzzelli<br>Cell : +39-347-2665618<br>
</font>
<div>
<div></div>
<div class="h5"><br>_______________________________________________<br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>
</div></div></blockquote></div><br>