Previous articleBack to news listNext article
|
Sponsored links |
Want to become one of our authors and see your work published on ALLSeek.iNFO ?
|
| Asterisk PBX Input Validation Flaw Lets Remote Users Inject SQL Commands via CallerID |
|---|
Categorie: Vulnerability
Posted: 2003-09-15 by ReCall
Views: 360
Source: Click here
| Current Rating: Not rated
|
|
| Details |
|---|
Description: An input validation vulnerability was reported in the Asterisk PBX software. A remote user can inject SQL commands to gain access to the system.
@stake reported that a remote user can set a specially crafted CallerID string to inject SQL commands to be executed by the underlying database. The flaw reportedly resides in the Call Detail Record (CDR) logging function. The software does not properly validate CDR data, the report said.
A remote user can exploit this flaw via a voice-over-IP (VoIP) connection or via the telephone network.
The vendor was reportedly notified on August 17, 2003.
[Editor's note: @stake does not permit redistribution of their advisories. The original advisory is available at: http://www.atstake.com/research/advisories/2003/a091103-1.txt]
Impact: A remote user can inject arbitrary SQL commands to be executed by the underlying database server.
Solution: The vendor has issued a fix in the CVS version (as of September 9, 2003).
|
| Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=425
|
| User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
|
Previous articleBack to news listNext article
|
