Prev-20 Home Next-20 2 msg Is AsteriskNow and AsteriskGUI download andinst... 1 msg AST-2007-023: SQL Injection vulnerability incdr... 1 msg Basic connection to Nortel C10k? AST-2007-023 - SQL Injection Vulnerability incd... \ The Asterisk Development Team (16 Oct 2007) 1 msg Asterisk-addons 1.2.8 and 1.4.4 released 2 msg voicemail.conf numerical extensions only? 1 msg Re: asterisk-users Digest, Vol 39, Issue 55 1 msg Libpri 1.2.6 and 1.4.2 released 2 msg Background not listening? 1 msg Asterisk 1.4.13 & Unicall 3 msg CALEA enforcement guidelines according to Comcast 6 msg tech prefix 15 msg E4 Superframe E&M? 1 msg Remote SIP extensions with no dial tone 1 msg add prefix to extensions called from zap channels 6 msg Clean Hangup() ? 1 msg Question about the Trixbox and GSM optimization 2 msg Echoes & Asterisk connects too early 3 msg Voicemail gain option NOT working in 1.4.11? 4 msg Call engaged Prev-20 Home Next-20

Prev-Msg Prev-Thread Asterisk-users Oct-2007 Next-Thread Next-Msg Subject: AST-2007-023 - SQL Injection Vulnerability incdr_addon_mysql Group: Asterisk-users From: The Asterisk Development Team Date: 16 Oct 2007 Asterisk Project Security Advisory - AST-2007-023 +------------------------------------------------------------------------+ | Product | Asterisk-Addons | |--------------------+---------------------------------------------------| | Summary | SQL Injection Vulnerability in cdr_addon_mysql | |--------------------+---------------------------------------------------| | Nature of Advisory | SQL Injection | |--------------------+---------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Minor | |--------------------+---------------------------------------------------| | Exploits Known | Yes | |--------------------+---------------------------------------------------| | Reported On | October 16, 2007 | |--------------------+---------------------------------------------------| | Reported By | Humberto Abdelnur <humberto.abdelnur AT loria DOT | | | fr> | |--------------------+---------------------------------------------------| | Posted On | October 16, 2007 | |--------------------+---------------------------------------------------| | Last Updated On | October 16, 2007 | |--------------------+---------------------------------------------------| | Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> | |--------------------+---------------------------------------------------| | CVE Name | CVE-2007-5488 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | The source and destination numbers for a given call are | | | not correctly escaped by the cdr_addon_mysql module when | | | inserting a record. Therefore, a carefully crafted | | | destination number sent to an Asterisk system running | | | cdr_addon_mysql could escape out of a SQL data field and | | | create another query. This vulnerability is made all the | | | more severe if a user were using realtime data, since | | | the data may exist in the same database as the inserted | | | call detail record, thus creating all sorts of possible | | | data corruption and invalidation issues. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | The Asterisk-addons package is not distributed with | | | Asterisk, nor is it installed by default. The module may | | | be either disabled or upgraded to fix this issue. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------+-------------+-----------------------------------| | Asterisk Open Source | 1.0.x | All versions | |----------------------+-------------+-----------------------------------| | Asterisk Open Source | 1.2.x | All versions prior to | | | | asterisk-addons-1.2.8 | |----------------------+-------------+-----------------------------------| | Asterisk Open Source | 1.4.x | All versions prior to | | | | asterisk-addons-1.4.4 | |----------------------+-------------+-----------------------------------| | Asterisk Business | A.x.x | Unaffected | | Edition | | | |----------------------+-------------+-----------------------------------| | Asterisk Business | B.x.x | Unaffected | | Edition | | | |----------------------+-------------+-----------------------------------| | AsteriskNOW | pre-release | Unaffected | |----------------------+-------------+-----------------------------------| | Asterisk Appliance | 0.x.x | Unaffected | | Developer Kit | | | |----------------------+-------------+-----------------------------------| | s800i (Asterisk | 1.0.x | Unaffected | | Appliance) | | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |----------------------------------------+-------------------------------| | Asterisk-Addons | 1.2.8 | |----------------------------------------+-------------------------------| | Asterisk-Addons | 1.4.4 | |----------------------------------------+-------------------------------| +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security. | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2007-023.pdf and | | http://downloads.digium.com/pub/security/AST-2007-023.html. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-----------------+-----------------------+------------------------------| | 2007-10-16 | Tilghman Lesher | Initial release | |-----------------+-----------------------+------------------------------| | 2007-10-16 | Tilghman Lesher | Added CVE number | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - 2007-AST-023 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users Prev-Msg Prev-Thread Asterisk-users Oct-2007 Next-Thread Next-Msg

© 2004-2008 readlist.com