Colin Anderson
2006-Feb-17 12:14 UTC
[Asterisk-Users] A unique 'click to call' project - Could use some advice <--one thing I forgot
In the example I posted previous, there is an obvious gaping security hole,
it would be trivial for someone to read the querystring and exploit it to
make free phone calls, spoof caller ID (if you allow the CallerID to be set
with a QueryString value), etc. You want to make damn sure that the URL is
not publicly accessible or somehow obsfucate the querystring, or use POST.
In my case, I hard-code the destination phone numbers into the context so
even if the script gets exploited all they can do is call a single guy.
good luck
-----Original Message-----
From: Aloi, Christopher [mailto:caloi@usadatanet.com]
Sent: Friday, February 17, 2006 11:16 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: RE: [Asterisk-Users] A unique 'click to call' project - Could
usesome advice
Thanks Colin!
Makes sense; I will work on this later today.
If you can, sending the example would be great.
Thanks,
-- -- --
Christopher T. Aloi
USA Datanet - Technical Support Engineer
318 South Clinton Street
Syracuse, NY 13202
C: (315) 569 4033
O: (315) 579 7074
E: <mailto:caloi@usadatanet.com> caloi@usadatanet.com
-- -- --
_____
From: Colin Anderson [mailto:ColinA@landmarkmasterbuilder.com]
Sent: Friday, February 17, 2006 12:36 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: RE: [Asterisk-Users] A unique 'click to call' project - Could
usesome advice
Same as before but instead of SIP as the origination channel you pass
ZAP/g0/XXXXXXXXXXX (the DID of the agent) to your .call file. In fact, this
is exactly how the www.landmarkhomes.ca <http://www.landmarkhomes.ca>
script works (it calls the guy who entered his phone number in the website,
when he picks up, it calls the salesperson's cell number and the two are
bridged together)
The drawback is, of course, that it uses 2 ZAP channels to bridge the call
together, but this isn't a problem I guess for you since you seem to have
ZAP channels coming out of your yinyang.
I have an implementation in Active Server Pages (we are a MS shop) that I
can send you - it's suprisingly simple - but it could be easily modified for
PHP or what have you.
-----Original Message-----
From: Aloi, Christopher [mailto:caloi@usadatanet.com]
Sent: Friday, February 17, 2006 9:56 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: RE: [Asterisk-Users] A unique 'click to call' project - Could
usesome advice
Colin,
Thanks for your assistance.
Reading over your advice I seem to still be a bit confused.
My agents are not on the Asterisk server; it appears in your advice that my
the call will travel this path:
WWW interface --> agent enters their DID, platform to use, and termination
DID --> AST calls agent --> Agent calls termination DID
If my agents are not on the Asterisk server (believe me, I wish there were)
:) how will this work?
I need a way to pass both the desired termination DID and the origination
DID.
Maybe I missed something....
Thanks,
-- -- --
Christopher T. Aloi
USA Datanet - Technical Support Engineer
318 South Clinton Street
Syracuse, NY 13202
C: (315) 569 4033
O: (315) 579 7074
E: <mailto:caloi@usadatanet.com> caloi@usadatanet.com
-- -- --
_____
From: Colin Anderson [mailto:ColinA@landmarkmasterbuilder.com]
Sent: Friday, February 17, 2006 10:42 AM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: RE: [Asterisk-Users] A unique 'click to call' project - Could
usesome advice
You create a context in your dialplan that accepts the DID to call as a
variable using the SetVar: syntax in your .call file. You then set up the
context to call your agent, and when they pick up, the context takes the
variable you set in your .call file as the dialstring argument for a
subsequent Dial(). Once the DID picks up, the calls are bridged together.
Whatever web scripting language you use writes the .call file, and you use
POSTed arguments or querystrings:
http://foo.com/call?context=MyContext
<http://foo.com/call?context=MyContext&Agent=SIP/5555&DID=15555551212>
&Agent=SIP/5555&DID=15555551212
You can see this in action at www.landmarkhomes.ca
<http://www.landmarkhomes.ca> - click on any of the pretty buttons that
say
"Call us now"
However, I have noticed that * 1.2.x will not wait for the caller to pick up
before executing the rest of the directives in the context - it keeps
executing regardless of the calling party's pickup status. Using * 1.0.x the
context will wait for the caller to pick up before placing the call to the
callee (i.e. executing the rest of the directives in the context)
.call file (shortened to relevant)
Channel: SIP/XXXX (if you are using SIP phones)
SetVar: DID=XXXXXXXXXXX
Context: MyContext
[MyContext]
exten => s,1,Dial(ZAP/g0/${DID})
hth
-----Original Message-----
From: Aloi, Christopher [mailto:caloi@usadatanet.com]
Sent: Friday, February 17, 2006 8:07 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [Asterisk-Users] A unique 'click to call' project - Could use
some
advice
Hello List,
I work for an IP communication provider in upstate NY as the engineer
assisting our technical support team.
We provide a number of different Telco systems to residential subscribers;
and in an effort to more effectively trouble shoot termination problems I
came up with the idea of creating a click to call system that will allow our
agents to effortlessly place test calls.
On a daily basis we place numerous (50-100) 'test' calls to various
locations in the US; these 'test' calls are routed using one of three
different phone systems:
1) The PSTN
2) Broadband phone platform one
3) Broadband phone platform two
I have an Asterisk server configured that can terminate out three platforms
listed above.
Our support agents are behind a Televantage ACD using D-TermSeries E NEC
phones.
Each agent has a DID and are permitted to receive inbound calls on that DID.
Here is my goal:
Create a web application that will allow the agent to enter the following
information into a form:
1) The agents DID
2) The platform the agent wishes to terminate a test call through (either
1,2,3 above)
3) The number the agent wishes to terminate to
My thought is this form will generate a .call file in
/var/spool/asterisk/outgoing that will then ring the agents station, pause,
and terminate to the selected DID using the selected platform. I also
thought about interacting directly with the AGI.
I can successfully generate the .call files, and ring a station on the
Asterisk server - the problem is the agents are not on the Asterisk server.
Is there a way to use Asterisk to initiate these test calls?
Is it possible to create a forwarding context to handle this?
Any thoughts?
Thanks for the help!
Cheers,
-- -- --
Christopher T. Aloi
USA Datanet - Technical Support Engineer
318 South Clinton Street
Syracuse, NY 13202
C: (315) 569 4033
O: (315) 579 7074
E: <mailto:caloi@usadatanet.com> caloi@usadatanet.com
-- -- --
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20060217/0dad1dfd/attachment.htm
Michiel van Baak
2006-Feb-17 12:32 UTC
[Asterisk-Users] A unique 'click to call' project - Could use some advice <--one thing I forgot
On 12:14, Fri 17 Feb 06, Colin Anderson wrote:> In the example I posted previous, there is an obvious gaping security hole, > it would be trivial for someone to read the querystring and exploit it to > make free phone calls, spoof caller ID (if you allow the CallerID to be set > with a QueryString value), etc. You want to make damn sure that the URL is > not publicly accessible or somehow obsfucate the querystring, or use POST. > > In my case, I hard-code the destination phone numbers into the context so > even if the script gets exploited all they can do is call a single guy.gheh, I was just about to warn this list about that ;) What I did was use a seperate context for it and only allow calls to predifined "agents". In the OP's case, they can make a context which only allows the agent phone nr's on one leg of the call :) Good luck with the setup -- Michiel van Baak http://michiel.vanbaak.info michiel@vanbaak.info GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?"