Asterisk PBX Input Validation Flaw Lets Remote Users Inject SQL Commands via CallerID
|
|
SecurityTracker Alert ID: 1007684 |
|
SecurityTracker URL: http://securitytracker.com/id/1007684
|
|
CVE Reference:
CAN-2003-0779
(Links to External Site)
|
Date: Sep 12 2003
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
An input validation vulnerability was reported in the Asterisk PBX software. A remote user can inject SQL commands to gain access to the system.
@stake reported that a remote user can set a specially crafted CallerID string to inject SQL commands to be executed by the underlying database. The flaw reportedly resides in the Call Detail Record (CDR) logging function. The software does not properly validate CDR data, the report said.
A remote user can exploit this flaw via a voice-over-IP (VoIP) connection or via the telephone network.
The vendor was reportedly notified on August 17, 2003.
[Editor's note: @stake does not permit redistribution of their advisories. The original advisory is available at: http://www.atstake.com/research/advisories/2003/a091103-1.txt]
|
Impact:
A remote user can inject arbitrary SQL commands to be executed by the underlying database server.
|
Solution:
The vendor has issued a fix in the CVS version (as of September 9, 2003).
|
Vendor URL: www.asterisk.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
