Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Asterisk :: tb13642.htm

Asterisk SQL Injection issue in res_config_pgsql



AST-2007-025 - SQL Injection issue in res_config_pgsql
AST-2007-025 - SQL Injection issue in res_config_pgsql



               Asterisk Project Security Advisory - AST-2007-025

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | SQL Injection issue in res_config_pgsql         |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | SQL Injection                                   |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Moderate                                        |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | November 29, 2007                               |
   |----------------------+-------------------------------------------------|
   |     Reported By      | P. Chisteas             |
   |----------------------+-------------------------------------------------|
   |      Posted On       | November 29, 2007                               |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | November 29, 2007                               |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Tilghman Lesher      |
   |----------------------+-------------------------------------------------|
   |       CVE Name       |                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Input buffers were not properly escaped when providing   |
   |             | lookup data to the Postgres Realtime Engine. An attacker |
   |             | could potentially compromise the administrative database |
   |             | containing users' usernames and passwords used for SIP   |
   |             | authentication, among other things.                      |
   |             |                                                          |
   |             | This module is not active by default and must be         |
   |             | configured for use by the administrator. Default         |
   |             | installations of Asterisk are not affected.              |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Workaround | Convert your installation to use res_config_odbc with the |
   |            | PgsqlODBC driver. This module provides similar            |
   |            | functionality but is not vulnerable.                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |    Resolution    | Upgrade to Asterisk release 1.4.15 or higher.       |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |           Product            |   Release   |                           |
   |                              |   Series    |                           |
   |------------------------------+-------------+---------------------------|
   |     Asterisk Open Source     |    1.0.x    | None                      |
   |------------------------------+-------------+---------------------------|
   |     Asterisk Open Source     |    1.2.x    | None                      |
   |------------------------------+-------------+---------------------------|
   |     Asterisk Open Source     |    1.4.x    | 1.4.14 and previous       |
   |                              |             | versions                  |
   |------------------------------+-------------+---------------------------|
   |  Asterisk Business Edition   |    A.x.x    | None                      |
   |------------------------------+-------------+---------------------------|
   |  Asterisk Business Edition   |    B.x.x    | None                      |
   |------------------------------+-------------+---------------------------|
   |         AsteriskNOW          | pre-release | None                      |
   |------------------------------+-------------+---------------------------|
   | Asterisk Appliance Developer |    0.x.x    | None                      |
   |             Kit              |             |                           |
   |------------------------------+-------------+---------------------------|
   |  s800i (Asterisk Appliance)  |    1.0.x    | None                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                 Product                  |           Release           |
   |------------------------------------------+-----------------------------|
   |           Asterisk Open Source           |           1.4.15            |
   |------------------------------------------+-----------------------------|
   |------------------------------------------+-----------------------------|
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
| http://www.asterisk.org/security | 
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
| http://downloads.digium.com/pub/security/AST-2007-025.pdf and | 
| http://downloads.digium.com/pub/security/AST-2007-025.html | 
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |         Editor         |       Revisions Made        |
   |-----------------+------------------------+-----------------------------|
   | 2007-11-29      | Tilghman Lesher        | Initial release             |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2007-025
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH