Colin Anderson
2006-Feb-17 12:14 UTC
[Asterisk-Users] A unique 'click to call' project - Could use some advice <--one thing I forgot
In the example I posted previous, there is an obvious gaping security hole, it would be trivial for someone to read the querystring and exploit it to make free phone calls, spoof caller ID (if you allow the CallerID to be set with a QueryString value), etc. You want to make damn sure that the URL is not publicly accessible or somehow obsfucate the querystring, or use POST. In my case, I hard-code the destination phone numbers into the context so even if the script gets exploited all they can do is call a single guy. good luck -----Original Message----- From: Aloi, Christopher [mailto:caloi@usadatanet.com] Sent: Friday, February 17, 2006 11:16 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: RE: [Asterisk-Users] A unique 'click to call' project - Could usesome advice Thanks Colin! Makes sense; I will work on this later today. If you can, sending the example would be great. Thanks, -- -- -- Christopher T. Aloi USA Datanet - Technical Support Engineer 318 South Clinton Street Syracuse, NY 13202 C: (315) 569 4033 O: (315) 579 7074 E: <mailto:caloi@usadatanet.com> caloi@usadatanet.com -- -- -- _____ From: Colin Anderson [mailto:ColinA@landmarkmasterbuilder.com] Sent: Friday, February 17, 2006 12:36 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: RE: [Asterisk-Users] A unique 'click to call' project - Could usesome advice Same as before but instead of SIP as the origination channel you pass ZAP/g0/XXXXXXXXXXX (the DID of the agent) to your .call file. In fact, this is exactly how the www.landmarkhomes.ca <http://www.landmarkhomes.ca> script works (it calls the guy who entered his phone number in the website, when he picks up, it calls the salesperson's cell number and the two are bridged together) The drawback is, of course, that it uses 2 ZAP channels to bridge the call together, but this isn't a problem I guess for you since you seem to have ZAP channels coming out of your yinyang. I have an implementation in Active Server Pages (we are a MS shop) that I can send you - it's suprisingly simple - but it could be easily modified for PHP or what have you. -----Original Message----- From: Aloi, Christopher [mailto:caloi@usadatanet.com] Sent: Friday, February 17, 2006 9:56 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: RE: [Asterisk-Users] A unique 'click to call' project - Could usesome advice Colin, Thanks for your assistance. Reading over your advice I seem to still be a bit confused. My agents are not on the Asterisk server; it appears in your advice that my the call will travel this path: WWW interface --> agent enters their DID, platform to use, and termination DID --> AST calls agent --> Agent calls termination DID If my agents are not on the Asterisk server (believe me, I wish there were) :) how will this work? I need a way to pass both the desired termination DID and the origination DID. Maybe I missed something.... Thanks, -- -- -- Christopher T. Aloi USA Datanet - Technical Support Engineer 318 South Clinton Street Syracuse, NY 13202 C: (315) 569 4033 O: (315) 579 7074 E: <mailto:caloi@usadatanet.com> caloi@usadatanet.com -- -- -- _____ From: Colin Anderson [mailto:ColinA@landmarkmasterbuilder.com] Sent: Friday, February 17, 2006 10:42 AM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: RE: [Asterisk-Users] A unique 'click to call' project - Could usesome advice You create a context in your dialplan that accepts the DID to call as a variable using the SetVar: syntax in your .call file. You then set up the context to call your agent, and when they pick up, the context takes the variable you set in your .call file as the dialstring argument for a subsequent Dial(). Once the DID picks up, the calls are bridged together. Whatever web scripting language you use writes the .call file, and you use POSTed arguments or querystrings: http://foo.com/call?context=MyContext <http://foo.com/call?context=MyContext&Agent=SIP/5555&DID=15555551212> &Agent=SIP/5555&DID=15555551212 You can see this in action at www.landmarkhomes.ca <http://www.landmarkhomes.ca> - click on any of the pretty buttons that say "Call us now" However, I have noticed that * 1.2.x will not wait for the caller to pick up before executing the rest of the directives in the context - it keeps executing regardless of the calling party's pickup status. Using * 1.0.x the context will wait for the caller to pick up before placing the call to the callee (i.e. executing the rest of the directives in the context) .call file (shortened to relevant) Channel: SIP/XXXX (if you are using SIP phones) SetVar: DID=XXXXXXXXXXX Context: MyContext [MyContext] exten => s,1,Dial(ZAP/g0/${DID}) hth -----Original Message----- From: Aloi, Christopher [mailto:caloi@usadatanet.com] Sent: Friday, February 17, 2006 8:07 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [Asterisk-Users] A unique 'click to call' project - Could use some advice Hello List, I work for an IP communication provider in upstate NY as the engineer assisting our technical support team. We provide a number of different Telco systems to residential subscribers; and in an effort to more effectively trouble shoot termination problems I came up with the idea of creating a click to call system that will allow our agents to effortlessly place test calls. On a daily basis we place numerous (50-100) 'test' calls to various locations in the US; these 'test' calls are routed using one of three different phone systems: 1) The PSTN 2) Broadband phone platform one 3) Broadband phone platform two I have an Asterisk server configured that can terminate out three platforms listed above. Our support agents are behind a Televantage ACD using D-TermSeries E NEC phones. Each agent has a DID and are permitted to receive inbound calls on that DID. Here is my goal: Create a web application that will allow the agent to enter the following information into a form: 1) The agents DID 2) The platform the agent wishes to terminate a test call through (either 1,2,3 above) 3) The number the agent wishes to terminate to My thought is this form will generate a .call file in /var/spool/asterisk/outgoing that will then ring the agents station, pause, and terminate to the selected DID using the selected platform. I also thought about interacting directly with the AGI. I can successfully generate the .call files, and ring a station on the Asterisk server - the problem is the agents are not on the Asterisk server. Is there a way to use Asterisk to initiate these test calls? Is it possible to create a forwarding context to handle this? Any thoughts? Thanks for the help! Cheers, -- -- -- Christopher T. Aloi USA Datanet - Technical Support Engineer 318 South Clinton Street Syracuse, NY 13202 C: (315) 569 4033 O: (315) 579 7074 E: <mailto:caloi@usadatanet.com> caloi@usadatanet.com -- -- -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20060217/0dad1dfd/attachment.htm
Michiel van Baak
2006-Feb-17 12:32 UTC
[Asterisk-Users] A unique 'click to call' project - Could use some advice <--one thing I forgot
On 12:14, Fri 17 Feb 06, Colin Anderson wrote:> In the example I posted previous, there is an obvious gaping security hole, > it would be trivial for someone to read the querystring and exploit it to > make free phone calls, spoof caller ID (if you allow the CallerID to be set > with a QueryString value), etc. You want to make damn sure that the URL is > not publicly accessible or somehow obsfucate the querystring, or use POST. > > In my case, I hard-code the destination phone numbers into the context so > even if the script gets exploited all they can do is call a single guy.gheh, I was just about to warn this list about that ;) What I did was use a seperate context for it and only allow calls to predifined "agents". In the OP's case, they can make a context which only allows the agent phone nr's on one leg of the call :) Good luck with the setup -- Michiel van Baak http://michiel.vanbaak.info michiel@vanbaak.info GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?"