Asterisk Scripting Support Lets Remote Users Inject Data into Dialplans
|
|
SecurityTracker Alert ID: 1023637 |
|
SecurityTracker URL: http://securitytracker.com/id/1023637
|
|
CVE Reference:
CVE-2010-0685
(Links to External Site)
|
Updated: Feb 27 2010
|
Original Entry Date: Feb 19 2010
|
Impact:
Modification of user information
|
Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in Asterisk. A remote user can inject arbitrary data into dialplans.
A remote user can supply specially crafted string that may be expanded by Asterisk and interpreted as data. A remote user may be able to exploit this to modify dialplan data.
The Dial() application is affected. Other applications that do not properly filter untrusted user-supplied data may also be affected.
Hans Petter Selasky reported this vulnerability.
|
Impact:
A remote user can inject arbitrary data into dialplans.
|
Solution:
The vendor has issued an advisory to warn developers of the risk of failing to filter untrusted data.
The vendor's advisory is available at:
http://downloads.asterisk.org/pub/security/AST-2010-002.html
|
Vendor URL: downloads.asterisk.org/pub/security/AST-2010-002.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 19 Feb 2010 02:43:20 +0000
Subject: Asterisk
|
http://downloads.asterisk.org/pub/security/AST-2010-002.html
|
|
