[Freeswitch-users] Dial String Inject in FreeSwitch
Giovanni Maruzzelli
gmaruzz at celliax.org
Mon Feb 22 09:26:00 PST 2010
Eder,
If you fear people can do such *really stupid* things, and this is
nice from you, please add something to the wiki, for example a
paragraph in the dialplan page, or whatever, explaining why this is a
stupid thing.
If you publish a page in your blog, that look like a security alert,
or that you found a security flaw in FS, people will rightly think
that you are just looking for some attention in the search engines,
and to bring viewers to your page.
Also, in doing so, you push non technical people to think there is a
security problem in FS, and this is really a big damage to the
project. Because it is not true, it is just how it look like in your
page.
So, delete that page, and add something to the wiki, if you care about
telling people not to do stupid things.
But please, be aware that your page, the page you published, is really
something that do a damage and put a bad light on a project, and there
is no one reason for doing this.
-giovanni
On Mon, Feb 22, 2010 at 6:09 PM, Eder Souza <ederwander at gmail.com> wrote:
> i prefer FreeSwitch im left Asterisk
>
> FreeSwitch is Very Very betther then Asterisk in my option !!
>
>
> my intention is just say dont use (.*), (.+) or combinations of this
> regular expressions, for me FreeSwitch is the betther !!
>
>
>
> On Mon, Feb 22, 2010 at 1:47 PM, Anthony Minessale
> <anthony.minessale at gmail.com> wrote:
>>
>> To me it sounds like a way to sound the alarms and bring negative
>> attention.
>>
>> For instance, if you were sincerely concerned, you could have told us
>> about your discovery privately first, and we could feature a story on our
>> own site warning people of this danger and reminding them how to compose
>> extension properly.
>>
>> The posting was instead made like a big public announcement calling our
>> software "imperfect".
>> Yes it is imperfect, It can't properly detect someone being a moron 100%
>> of the time but it sure tries it's darndest.
>>
>>
>>
>>
>> On Mon, Feb 22, 2010 at 10:33 AM, Eder Souza <ederwander at gmail.com> wrote:
>>>
>>> Antony i dont see why ??
>>>
>>>
>>> this is just one alert for all comunity of danger in the use of regular
>>> expression (.*) or (.*) ...
>>>
>>> many peoples can make dialplans witch use of this expressions ...
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Feb 22, 2010 at 1:19 PM, Anthony Minessale
>>> <anthony.minessale at gmail.com> wrote:
>>>>
>>>> Please do not use our project to try to make your blog more popular.
>>>>
>>>> Your example requires you to prepare an intentional specific extension
>>>> on the FreeSWITCH custom made for your attack. It’s like saying if you leave
>>>> your door wide open at your house and call and tell someone, they can come
>>>> and rob you at 8:30.
>>>>
>>>> This extension is also vulnerable “by virtue of the stupidity of the
>>>> composer”
>>>>
>>>> <extension name=”please-hack-me”/>
>>>> <condition>
>>>> <action application=”system” data=”${destination_number}”/>
>>>> </condition>
>>>> </extension>
>>>>
>>>> You should not allow tainted data from outside system to be fed directly
>>>> into your code. There is a regex system in place to extract legitimate data
>>>> from the user tainted input and safeguard against this.
>>>>
>>>>
>>>>
>>>> On Mon, Feb 22, 2010 at 9:58 AM, Eder Souza <ederwander at gmail.com>
>>>> wrote:
>>>>>
>>>>>
>>>>> http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/
>>>>>
>>>>> just for yours informations i write this article my test for injections
>>>>> in freesitch
>>>>>
>>>>> version of my tests
>>>>>
>>>>> freeswitch at internal> version
>>>>> FreeSWITCH Version 1.0.5-20100218-0400 (hacked)
>>>>> freeswitch at internal>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Anthony Minessale II
>>>>
>>>> FreeSWITCH http://www.freeswitch.org/
>>>> ClueCon http://www.cluecon.com/
>>>> Twitter: http://twitter.com/FreeSWITCH_wire
>>>>
>>>> AIM: anthm
>>>> MSN:anthony_minessale at hotmail.com
>>>> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com
>>>> IRC: irc.freenode.net #freeswitch
>>>>
>>>> FreeSWITCH Developer Conference
>>>> sip:888 at conference.freeswitch.org
>>>> iax:guest at conference.freeswitch.org/888
>>>> googletalk:conf+888 at conference.freeswitch.org
>>>> pstn:+19193869900
>>>>
>>>> _______________________________________________
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>> Anthony Minessale II
>>
>> FreeSWITCH http://www.freeswitch.org/
>> ClueCon http://www.cluecon.com/
>> Twitter: http://twitter.com/FreeSWITCH_wire
>>
>> AIM: anthm
>> MSN:anthony_minessale at hotmail.com
>> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com
>> IRC: irc.freenode.net #freeswitch
>>
>> FreeSWITCH Developer Conference
>> sip:888 at conference.freeswitch.org
>> iax:guest at conference.freeswitch.org/888
>> googletalk:conf+888 at conference.freeswitch.org
>> pstn:+19193869900
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
--
Sincerely,
Giovanni Maruzzelli
Cell : +39-347-2665618
More information about the FreeSWITCH-users
mailing list