[Home]

Summary:ASTERISK-15610: Dialplan language does not deal with & character safely
Reporter:nick_lewis (nick_lewis)Labels:
Date Opened:2010-02-11 08:06:51.000-0600Date Closed:2010-02-18 10:48:09.000-0600
Priority:MajorRegression?No
Status:Closed/CompleteComponents:Core/PBX
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:
Description:The dialplan language uses the & character to represent arrays. For example 123&456&789 is an array of three elements 123, 456 and 789. However the dialplan language does not prohibit (or escape) the use of a & character in an array element. This means that the content of an element can cause the execution of code when passed to a function (in this case the creation of a new element)

****** ADDITIONAL INFORMATION ******

I propose that either arrays are represented in the dialplan language in a different way or that elements do not contain raw & characters
Comments:By: Leif Madsen (lmadsen) 2010-02-11 09:37:47.000-0600

From oej on the mailing list:

I think it would be good for the Asterisk project if we put out a more official document with a security advisory about this security issue. We need to update/add examples in configs/extension.conf in all releases and propably add a document in doc/ for this too.

At the core is this issue is this advice:

"If you take the incoming called number from a voip protocol that allows alphanumeric dialling and use that unfiltered for dialing out, ther e is an obvious risk that the caller injects data that can be parsed as an additional dialstring by the dial() application in Asterisk.
We advise everyone to filter out the ampersand (&) character from the extension before using it as a dialstring for the dial() application. There are many ways to do this, one is using the CUT dialplan function to take only the first part or the FILTER dialplan function to filter out the dangerous character or deny the call."

The advisory document needs a few examples using CUT, FILTER and possibly REGEX as well.

After this is done, we can discuss future changes in future versions of Asterisk and possibly enhancements to current releases, but I feel it's important to speed up this information.
By: Digium Subversion (svnbot) 2010-02-18 10:35:33.000-0600

Repository: asterisk
Revision: 247501

A   branches/1.2/README-SERIOUSLY.bestpractices.txt

------------------------------------------------------------------------
r247501 | lmadsen | 2010-02-18 10:35:31 -0600 (Thu, 18 Feb 2010) | 10 lines

Add best practices documentation.

(closes issue ASTERISK-15608)
Reported by: lmadsen

(closes issue ASTERISK-15610)
Reported by: Nick_Lewis
Tested by: lmadsen

Review: https://reviewboard.asterisk.org/r/507/
------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=247501
By: Digium Subversion (svnbot) 2010-02-18 10:38:21.000-0600

Repository: asterisk
Revision: 247502

A   branches/1.4/README-SERIOUSLY.bestpractices.txt

------------------------------------------------------------------------
r247502 | lmadsen | 2010-02-18 10:38:20 -0600 (Thu, 18 Feb 2010) | 10 lines

Add best practices documentation.

(issue ASTERISK-15608)
Reported by: lmadsen

(issue ASTERISK-15610)
Reported by: Nick_Lewis
Tested by: lmadsen

Review: https://reviewboard.asterisk.org/r/507/
------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=247502
By: Digium Subversion (svnbot) 2010-02-18 10:41:06.000-0600

Repository: asterisk
Revision: 247503

_U  trunk/
A   trunk/README-SERIOUSLY.bestpractices.txt

------------------------------------------------------------------------
r247503 | lmadsen | 2010-02-18 10:41:05 -0600 (Thu, 18 Feb 2010) | 18 lines

Merged revisions 247502 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4

........
 r247502 | lmadsen | 2010-02-18 11:38:17 -0500 (Thu, 18 Feb 2010) | 10 lines
 
 Add best practices documentation.
 
 (issue ASTERISK-15608)
 Reported by: lmadsen
 
 (issue ASTERISK-15610)
 Reported by: Nick_Lewis
 Tested by: lmadsen
 
 Review: https://reviewboard.asterisk.org/r/507/
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=247503
By: Digium Subversion (svnbot) 2010-02-18 10:44:11.000-0600

Repository: asterisk
Revision: 247504

A   branches/1.6.0/README-SERIOUSLY.bestpractices.txt

------------------------------------------------------------------------
r247504 | lmadsen | 2010-02-18 10:44:11 -0600 (Thu, 18 Feb 2010) | 25 lines

Merged revisions 247503 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

................
 r247503 | lmadsen | 2010-02-18 11:41:04 -0500 (Thu, 18 Feb 2010) | 18 lines
 
 Merged revisions 247502 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.4
 
 ........
   r247502 | lmadsen | 2010-02-18 11:38:17 -0500 (Thu, 18 Feb 2010) | 10 lines
   
   Add best practices documentation.
   
   (issue ASTERISK-15608)
   Reported by: lmadsen
   
   (issue ASTERISK-15610)
   Reported by: Nick_Lewis
   Tested by: lmadsen
   
   Review: https://reviewboard.asterisk.org/r/507/
 ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=247504
By: Digium Subversion (svnbot) 2010-02-18 10:46:23.000-0600

Repository: asterisk
Revision: 247505

A   branches/1.6.1/README-SERIOUSLY.bestpractices.txt

------------------------------------------------------------------------
r247505 | lmadsen | 2010-02-18 10:46:21 -0600 (Thu, 18 Feb 2010) | 25 lines

Merged revisions 247503 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

................
 r247503 | lmadsen | 2010-02-18 11:41:04 -0500 (Thu, 18 Feb 2010) | 18 lines
 
 Merged revisions 247502 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.4
 
 ........
   r247502 | lmadsen | 2010-02-18 11:38:17 -0500 (Thu, 18 Feb 2010) | 10 lines
   
   Add best practices documentation.
   
   (issue ASTERISK-15608)
   Reported by: lmadsen
   
   (issue ASTERISK-15610)
   Reported by: Nick_Lewis
   Tested by: lmadsen
   
   Review: https://reviewboard.asterisk.org/r/507/
 ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=247505
By: Digium Subversion (svnbot) 2010-02-18 10:48:09.000-0600

Repository: asterisk
Revision: 247506

A   branches/1.6.2/README-SERIOUSLY.bestpractices.txt

------------------------------------------------------------------------
r247506 | lmadsen | 2010-02-18 10:48:08 -0600 (Thu, 18 Feb 2010) | 25 lines

Merged revisions 247503 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

................
 r247503 | lmadsen | 2010-02-18 11:41:04 -0500 (Thu, 18 Feb 2010) | 18 lines
 
 Merged revisions 247502 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.4
 
 ........
   r247502 | lmadsen | 2010-02-18 11:38:17 -0500 (Thu, 18 Feb 2010) | 10 lines
   
   Add best practices documentation.
   
   (issue ASTERISK-15608)
   Reported by: lmadsen
   
   (issue ASTERISK-15610)
   Reported by: Nick_Lewis
   Tested by: lmadsen
   
   Review: https://reviewboard.asterisk.org/r/507/
 ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=247506