Hi, this is URGENT.
It seems to be a very big hole in the way that Asterisk's Dial() command, parses the ${EXTEN} variable.
It can accept long INVITE data fields with the special character "&" resulting to Dial additional legs.
If your Dialplan uses the wildcard character "." to match certain numbers, then a malicious user can inject extra Dial strings to your Dialplan..
ie. suppose that you have a context with the following "catch-all" extension
exten => _X.,1,Dial(SIP/${EXTEN})
A user is able to send you packets with INVITE data as:
0044XXXXXXX&SIP/myitsp_provider/<A_NUMBER_FREE_OF_CHARGE>
Depending on my analysis, A2B does not seem to be affected by this because it does not call straight the Dial application.
It does use the Dial function, however, this is done inside the php AGI coding.
Maybe there is a simple sanity check for the number to be called.
I'd like to know if there are any potential vulnerabilities for the A2Billing platform, 1.3.3 and beyond.
Please refer to the official Asterisk security group announcement:
http://www.asterisk.org/securityhttp://downloads.asterisk.org/pub/security/AST-2010-002.pdfRegards
TZ