Asterisk 1.2.40,,, and Now Available.

The Asterisk Development Team has announced security releases for the following versions of Asterisk: * 1.2.40
These releases are available for immediate download at [url=][/url]
The releases of Asterisk 1.2.40,,,, and [b]include documention describing a possible dialplan string injection[/b] with common usage of the ${EXTEN} (and other expansion variables). [b]The issue and resolution are described[/b] in the AST-2010-002 security advisory.
If you have a channel technology which can accept characters other than numbers and letters (such as SIP) it may be possible to craft an INVITE which sends data such as 300&Zap/g1/4165551212 which would create an additional outgoing channel leg that was not originally intended by the dialplan programmer.
Please note that this is not limited to an specific protocol or the Dial() application.
The expansion of variables into programmatically-interpreted strings is a common behavior in many script or script-like languages, Asterisk included. The ability for a variable to directly replace components of a command is a feature, not a bug – that is the entire point of string expansion.
However, it is often the case due to expediency or design misunderstanding that a developer will not examine and filter string data from external sources before passing it into potentially harmful areas of their dialplan.
With the flexibility of the design of Asterisk come these risks if the dialplan designer is not suitably cautious as to how foreign data is allowed to enter the system unchecked.
This security release is intended to raise awareness of how it is possible to insert malicious strings into dialplans, and to advise developers to read the best practices documents so that they may easily avoid these dangers.
For more information about the details of this vulnerability, please read the security advisory AST-2010-002, which was released at the same time as this announcement.
Asterisk 1.2.40 also contains a backported dialplan function called FILTER() in order to allow the filtering of strings as described in the best practices document.
It should also be noted that the 1.6.x series of Asterisk had release candidates available as versions,, and These will either be released as,, and, or if another round of RC changes is necessary, those versions numbers will be used with -rc1 appended.
For a full list of changes in the current releases, please see the ChangeLog:
Security advisory AST-2010-002 is available at:
The README-SERIOUSLY.bestpractices.txt document is available in the top-level directory of your Asterisk sources, or available in all Asterisk branches from
1.2 and up.
Thank you for your continued support of Asterisk!


打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2022年 8月 26日 下午3:24
下一篇 2022年 8月 26日 下午3:24


  • freeiris-安静 报到


    文档 2022年 8月 26日
  • 简单的web-click-to-call

    [i=s] 本帖最后由 leeelton 于 2009-6-14 00:06 编辑 [/i] 从[url=][/url]我们可以下载一个简单…

    文档 2022年 8月 26日
  • phpagi问题请教

    版本:phpagi-2.14, asterisk1.6.2.6 myphpagi.php文件内容如下: #!/usr/bin/php -q asteris控制台显示: — Executing [2134@from-vos:1] AGI(“SIP/2133-00000002”, “myphpagi.php&#82…

    文档 2022年 8月 26日
  • AMI的Events 事件分析

    关键参数:sip_custom.conf 增加:callevents=yes;事件详解: 事件名称 事件说明#Newchannel———中间态,创建通道,是初始化状态#Newcallerid——–中间态,通道上建立一个呼叫ID,有时会无法建立呼叫ID,如呼叫一个无效号码时,不创建#Dia…

    文档 2022年 8月 26日
  • Asterisk 1.8新功能

    [list][*]asterisk-1.8 将增加新的功能,看看哪个你喜欢?[*]The much awaited SRTP support in chan_sip will be added.[*]The chan_mgcp module has added PacketCable NCS 1.0 support forDocsis/Eurodocsis …

    文档 2022年 8月 26日


您的电子邮箱地址不会被公开。 必填项已用*标注



在线咨询: QQ交谈