Asterisk PBX Input Validation Flaw Lets Remote Users Inject SQL Commands via CallerID
|
|
SecurityTracker Alert ID: 1007684
|
|
CVE Reference: CAN-2003-0779
(Links to External Site)
|
Date: Sep 12 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: @Stake - L0pht
|
Description: An input validation vulnerability was reported in the Asterisk PBX software. A remote user can inject SQL commands to gain access to the system.
@stake reported that a remote user can set a specially crafted CallerID string to inject SQL commands to be executed by the underlying
database. The flaw reportedly resides in the Call Detail Record (CDR) logging function. The software does not properly validate
CDR data, the report said.
A remote user can exploit this flaw via a voice-over-IP (VoIP) connection or via the telephone network.
The
vendor was reportedly notified on August 17, 2003.
[Editor's note: @stake does not permit redistribution of their advisories.
The original advisory is available at: http://www.atstake.com/research/advisories/2003/a091103-1.txt]
|
Impact: A remote user can inject arbitrary SQL commands to be executed by the underlying database server.
|
Solution: The vendor has issued a fix in the CVS version (as of September 9, 2003).
|
Vendor URL: www.asterisk.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any)
|
Reported By: "@stake Advisories" <advisories@atstake.com>
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
