[Freeswitch-users] Dial String Inject in FreeSwitch

Eder Souza ederwander at gmail.com
Mon Feb 22 09:39:43 PST 2010


yeah can somebody make one wiki for this alert??

im make down my link page now to prevent thes problems !!

OK

On Mon, Feb 22, 2010 at 2:26 PM, Giovanni Maruzzelli <gmaruzz at celliax.org>wrote:

> Eder,
>
> If you fear people can do such *really stupid* things, and this is
> nice from you, please add something to the wiki, for example a
> paragraph in the dialplan page, or whatever, explaining why this is a
> stupid thing.
>
> If you publish a page in your blog, that look like a security alert,
> or that you found a security flaw in FS, people will rightly think
> that you are just looking for some attention in the search engines,
> and to bring viewers to your page.
>
> Also, in doing so, you push non technical people to think there is a
> security problem in FS, and this is really a big damage to the
> project. Because it is not true, it is just how it look like in your
> page.
>
> So, delete that page, and add something to the wiki, if you care about
> telling people not to do stupid things.
>
> But please, be aware that your page, the page you published, is really
> something that do a damage and put a bad light on a project, and there
> is no one reason for doing this.
>
> -giovanni
>
>
>
> On Mon, Feb 22, 2010 at 6:09 PM, Eder Souza <ederwander at gmail.com> wrote:
> > i prefer FreeSwitch im left Asterisk
> >
> > FreeSwitch is Very Very betther then Asterisk in my option !!
> >
> >
> > my intention is just say dont use (.*), (.+)  or combinations of this
> > regular expressions, for me FreeSwitch is the betther  !!
> >
> >
> >
> > On Mon, Feb 22, 2010 at 1:47 PM, Anthony Minessale
> > <anthony.minessale at gmail.com> wrote:
> >>
> >> To me it sounds like a way to sound the alarms and bring negative
> >> attention.
> >>
> >> For instance, if you were sincerely concerned, you could have told us
> >> about your discovery privately first, and we could feature a story on
> our
> >> own site warning people of this danger and reminding them how to compose
> >> extension properly.
> >>
> >> The posting was instead made like a big public announcement calling our
> >> software "imperfect".
> >> Yes it is imperfect, It can't properly detect someone being a moron 100%
> >> of the time but it sure tries it's darndest.
> >>
> >>
> >>
> >>
> >> On Mon, Feb 22, 2010 at 10:33 AM, Eder Souza <ederwander at gmail.com>
> wrote:
> >>>
> >>> Antony i dont see why ??
> >>>
> >>>
> >>> this is just one alert for all comunity of danger in the use of regular
> >>> expression (.*) or (.*) ...
> >>>
> >>> many peoples can make dialplans witch use of this expressions ...
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Mon, Feb 22, 2010 at 1:19 PM, Anthony Minessale
> >>> <anthony.minessale at gmail.com> wrote:
> >>>>
> >>>> Please do not use our project to try to make your blog more popular.
> >>>>
> >>>> Your example requires you to prepare an intentional specific extension
> >>>> on the FreeSWITCH custom made for your attack. It’s like saying if you
> leave
> >>>> your door wide open at your house and call and tell someone, they can
> come
> >>>> and rob you at 8:30.
> >>>>
> >>>> This extension is also vulnerable “by virtue of the stupidity of the
> >>>> composer”
> >>>>
> >>>> <extension name=”please-hack-me”/>
> >>>>   <condition>
> >>>>    <action application=”system” data=”${destination_number}”/>
> >>>>   </condition>
> >>>> </extension>
> >>>>
> >>>> You should not allow tainted data from outside system to be fed
> directly
> >>>> into your code. There is a regex system in place to extract legitimate
> data
> >>>> from the user tainted input and safeguard against this.
> >>>>
> >>>>
> >>>>
> >>>> On Mon, Feb 22, 2010 at 9:58 AM, Eder Souza <ederwander at gmail.com>
> >>>> wrote:
> >>>>>
> >>>>>
> >>>>>
> http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/
> >>>>>
> >>>>> just for yours informations i write this article my test for
> injections
> >>>>> in freesitch
> >>>>>
> >>>>> version of my tests
> >>>>>
> >>>>> freeswitch at internal> version
> >>>>> FreeSWITCH Version 1.0.5-20100218-0400 (hacked)
> >>>>> freeswitch at internal>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> FreeSWITCH-users mailing list
> >>>>> FreeSWITCH-users at lists.freeswitch.org
> >>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >>>>>
> >>>>> UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >>>>> http://www.freeswitch.org
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Anthony Minessale II
> >>>>
> >>>> FreeSWITCH http://www.freeswitch.org/
> >>>> ClueCon http://www.cluecon.com/
> >>>> Twitter: http://twitter.com/FreeSWITCH_wire
> >>>>
> >>>> AIM: anthm
> >>>> MSN:anthony_minessale at hotmail.com<MSN%3Aanthony_minessale at hotmail.com>
> >>>> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
> >>>> IRC: irc.freenode.net #freeswitch
> >>>>
> >>>> FreeSWITCH Developer Conference
> >>>> sip:888 at conference.freeswitch.org<sip%3A888 at conference.freeswitch.org>
> >>>> iax:guest at conference.freeswitch.org/888
> >>>> googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
> >>>> pstn:+19193869900
> >>>>
> >>>> _______________________________________________
> >>>> FreeSWITCH-users mailing list
> >>>> FreeSWITCH-users at lists.freeswitch.org
> >>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >>>> UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >>>> http://www.freeswitch.org
> >>>>
> >>>
> >>>
> >>> _______________________________________________
> >>> FreeSWITCH-users mailing list
> >>> FreeSWITCH-users at lists.freeswitch.org
> >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >>> UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >>> http://www.freeswitch.org
> >>>
> >>
> >>
> >>
> >> --
> >> Anthony Minessale II
> >>
> >> FreeSWITCH http://www.freeswitch.org/
> >> ClueCon http://www.cluecon.com/
> >> Twitter: http://twitter.com/FreeSWITCH_wire
> >>
> >> AIM: anthm
> >> MSN:anthony_minessale at hotmail.com <MSN%3Aanthony_minessale at hotmail.com>
> >> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
> >> IRC: irc.freenode.net #freeswitch
> >>
> >> FreeSWITCH Developer Conference
> >> sip:888 at conference.freeswitch.org <sip%3A888 at conference.freeswitch.org>
> >> iax:guest at conference.freeswitch.org/888
> >> googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
> >> pstn:+19193869900
> >>
> >> _______________________________________________
> >> FreeSWITCH-users mailing list
> >> FreeSWITCH-users at lists.freeswitch.org
> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >> UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >> http://www.freeswitch.org
> >>
> >
> >
> > _______________________________________________
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
> >
> >
>
>
>
> --
> Sincerely,
>
> Giovanni Maruzzelli
> Cell : +39-347-2665618
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100222/9d2fd1e4/attachment-0002.html 


More information about the FreeSWITCH-users mailing list