+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|----------------------+------------------------------------------------
-|
| Summary | SQL Injection issue in cdr_pgsql |
|----------------------+------------------------------------------------
-|
| Nature of Advisory | SQL Injection |
|----------------------+------------------------------------------------
-|
| Susceptibility | Remote Authenticated Sessions |
|----------------------+------------------------------------------------
-|
| Severity | Moderate |
|----------------------+------------------------------------------------
-|
| Exploits Known | No |
|----------------------+------------------------------------------------
-|
| Reported On | November 29, 2007 |
|----------------------+------------------------------------------------
-|
| Reported By | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------+------------------------------------------------
-|
| Posted On | November 29, 2007 |
|----------------------+------------------------------------------------
-|
| Last Updated On | November 29, 2007 |
|----------------------+------------------------------------------------
-|
| Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------+------------------------------------------------
-|
| CVE Name | |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Description | Input buffers were not properly escaped when providing |
| | the ANI and DNIS strings to the Call Detail Record |
| | Postgres logging engine. An attacker could potentially |
| | compromise the administrative database containing users' |
| | usernames and passwords used for SIP authentication, |
| | among other things. |
| | |
| | This module is not active by default and must be |
| | configured for use by the administrator. Default |
| | installations of Asterisk are not affected. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Workaround | Convert your installation to use cdr_odbc with the |
| | PgsqlODBC driver. This module provides similar |
| | functionality but is not vulnerable. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Resolution | Upgrade to Asterisk release 1.4.15 or higher. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2007-026.pdf and |
| http://downloads.digium.com/pub/security/AST-2007-026.html |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|-----------------+------------------------+----------------------------
-|
| 2007-11-29 | Tilghman Lesher | Initial release |
+-----------------------------------------------------------------------
-+
Asterisk Project Security Advisory - AST-2007-026
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|----------------------+------------------------------------------------
-|
| Summary | SQL Injection issue in cdr_pgsql |
|----------------------+------------------------------------------------
-|
| Nature of Advisory | SQL Injection |
|----------------------+------------------------------------------------
-|
| Susceptibility | Remote Authenticated Sessions |
|----------------------+------------------------------------------------
-|
| Severity | Moderate |
|----------------------+------------------------------------------------
-|
| Exploits Known | No |
|----------------------+------------------------------------------------
-|
| Reported On | November 29, 2007 |
|----------------------+------------------------------------------------
-|
| Reported By | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------+------------------------------------------------
-|
| Posted On | November 29, 2007 |
|----------------------+------------------------------------------------
-|
| Last Updated On | November 29, 2007 |
|----------------------+------------------------------------------------
-|
| Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------+------------------------------------------------
-|
| CVE Name | |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Description | Input buffers were not properly escaped when providing |
| | the ANI and DNIS strings to the Call Detail Record |
| | Postgres logging engine. An attacker could potentially |
| | compromise the administrative database containing users' |
| | usernames and passwords used for SIP authentication, |
| | among other things. |
| | |
| | This module is not active by default and must be |
| | configured for use by the administrator. Default |
| | installations of Asterisk are not affected. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Workaround | Convert your installation to use cdr_odbc with the |
| | PgsqlODBC driver. This module provides similar |
| | functionality but is not vulnerable. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Resolution | Upgrade to Asterisk release 1.4.15 or higher. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release | |
| | Series | |
|----------------------------------+--------------+---------------------
-|
| Asterisk Open Source | 1.0.x | All versions |
|----------------------------------+--------------+---------------------
-|
| Asterisk Open Source | 1.2.x | 1.2.24 and previous |
|----------------------------------+--------------+---------------------
-|
| Asterisk Open Source | 1.4.x | 1.4.14 and previous |
|----------------------------------+--------------+---------------------
-|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------------+--------------+---------------------
-|
| Asterisk Business Edition | B.x.x | B.2.3.3 and previous |
|----------------------------------+--------------+---------------------
-|
| AsteriskNOW | pre-release | None |
|----------------------------------+--------------+---------------------
-|
| Asterisk Appliance Developer Kit | 0.x.x | None |
|----------------------------------+--------------+---------------------
-|
| s800i (Asterisk Appliance) | 1.0.x | None |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.2.25 |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.4.15 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | B.2.3.4 |
|---------------------------------------------+-------------------------
-|
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Links | |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2007-026.pdf and |
| http://downloads.digium.com/pub/security/AST-2007-026.html |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|-----------------+------------------------+----------------------------
-|
| 2007-11-29 | Tilghman Lesher | Initial release |
+-----------------------------------------------------------------------
-+
Asterisk Project Security Advisory - AST-2007-026
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
[ reply ]