The Asterisk Development Team
2007-Oct-17 00:06 UTC
[asterisk-announce] AST-2007-023: SQL Injection vulnerability in cdr_addon_mysql
Asterisk Project Security Advisory - AST-2007-023 +------------------------------------------------------------------------+ | Product | Asterisk-Addons | |--------------------+---------------------------------------------------| | Summary | SQL Injection Vulnerability in cdr_addon_mysql | |--------------------+---------------------------------------------------| | Nature of Advisory | SQL Injection | |--------------------+---------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Minor | |--------------------+---------------------------------------------------| | Exploits Known | Yes | |--------------------+---------------------------------------------------| | Reported On | October 16, 2007 | |--------------------+---------------------------------------------------| | Reported By | Humberto Abdelnur <humberto.abdelnur AT loria DOT | | | fr> | |--------------------+---------------------------------------------------| | Posted On | October 16, 2007 | |--------------------+---------------------------------------------------| | Last Updated On | October 16, 2007 | |--------------------+---------------------------------------------------| | Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> | |--------------------+---------------------------------------------------| | CVE Name | CVE-2007-5488 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | The source and destination numbers for a given call are | | | not correctly escaped by the cdr_addon_mysql module when | | | inserting a record. Therefore, a carefully crafted | | | destination number sent to an Asterisk system running | | | cdr_addon_mysql could escape out of a SQL data field and | | | create another query. This vulnerability is made all the | | | more severe if a user were using realtime data, since | | | the data may exist in the same database as the inserted | | | call detail record, thus creating all sorts of possible | | | data corruption and invalidation issues. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | The Asterisk-addons package is not distributed with | | | Asterisk, nor is it installed by default. The module may | | | be either disabled or upgraded to fix this issue. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------+-------------+-----------------------------------| | Asterisk Open Source | 1.0.x | All versions | |----------------------+-------------+-----------------------------------| | Asterisk Open Source | 1.2.x | All versions prior to | | | | asterisk-addons-1.2.8 | |----------------------+-------------+-----------------------------------| | Asterisk Open Source | 1.4.x | All versions prior to | | | | asterisk-addons-1.4.4 | |----------------------+-------------+-----------------------------------| | Asterisk Business | A.x.x | Unaffected | | Edition | | | |----------------------+-------------+-----------------------------------| | Asterisk Business | B.x.x | Unaffected | | Edition | | | |----------------------+-------------+-----------------------------------| | AsteriskNOW | pre-release | Unaffected | |----------------------+-------------+-----------------------------------| | Asterisk Appliance | 0.x.x | Unaffected | | Developer Kit | | | |----------------------+-------------+-----------------------------------| | s800i (Asterisk | 1.0.x | Unaffected | | Appliance) | | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |----------------------------------------+-------------------------------| | Asterisk-Addons | 1.2.8 | |----------------------------------------+-------------------------------| | Asterisk-Addons | 1.4.4 | |----------------------------------------+-------------------------------| +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security. | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2007-023.pdf and | | http://downloads.digium.com/pub/security/AST-2007-023.html. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-----------------+-----------------------+------------------------------| | 2007-10-16 | Tilghman Lesher | Initial release | |-----------------+-----------------------+------------------------------| | 2007-10-16 | Tilghman Lesher | Added CVE number | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - 2007-AST-023 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.