Ticket #4507 (closed Bugs: fixed)

Opened 3 years ago

Last modified 3 years ago

Extension secret bug - Use of special characters notably a semicolon (;)

Reported by: acosgrove Assigned to:
Priority: major Milestone: 2.9
Component: Weak Passwords Version: 2.8-branch
Keywords: Cc:
Confirmation: Unreviewed Distro:
Backend Engine: Asterisk 1.4.x Distro Ver:
Backend Ver: SVN Revision (if applicable):

Description

When using non-alphanumeric characters in the extension secret field most notably the semicolon (;) the input is not validated when submitted resulting in a potential security breach for extensions.

Ex: a password beginning with ;

secret=;myweakpw123

Asterisk interprets the ; as a comment making the password for this extension effectively blank.

Ex 2: a password which contains ; near the beginning

secret=1234;myweakpw

Again here the only part that will be interpreted in processing the digest challenge will be 1234 leaving the end user vulnerable to attacks conducted by sipvicious or other scripts.

Tested and confirmed on FreePBX 2.7.0.5 and 2.8.0.2

Change History

09/14/10 17:57:07 changed by p_lindheimer

  • status changed from new to closed.
  • resolution set to fixed.

(In [10264]) fixes #4507 allow ';' characters in secrets

09/14/10 17:59:21 changed by p_lindheimer

(In [10265]) Merged revisions 10264 via svnmerge from http://svn.freepbx.org/modules/branches/2.7

........

r10264 | p_lindheimer | 2010-09-14 14:57:06 -0700 (Tue, 14 Sep 2010) | 1 line

fixes #4507 allow ';' characters in secrets

........

09/15/10 20:00:30 changed by p_lindheimer

(In [10283]) Merged revisions 10179-10253,10255-10282 via svnmerge from http://svn.freepbx.org/modules/branches/2.8

................

r10187 | p_lindheimer | 2010-07-22 08:48:47 -0700 (Thu, 22 Jul 2010) | 1 line

fixes #4463 create backup directory on install of module

................

r10189 | mickecarlsson | 2010-07-22 21:58:29 -0700 (Thu, 22 Jul 2010) | 1 line

Re #4468, updated Russian language for dictate. Thank you ded.

................

r10190 | mickecarlsson | 2010-07-22 22:01:03 -0700 (Thu, 22 Jul 2010) | 1 line

Close #4468, updated Russian language for voicemail. Thank you ded.

................

r10197 | mickecarlsson | 2010-07-29 02:30:08 -0700 (Thu, 29 Jul 2010) | 1 line

Close #4477 add French language to daynight. Thank you tomarch

................

r10199 | mickecarlsson | 2010-07-29 09:17:49 -0700 (Thu, 29 Jul 2010) | 1 line

Close #4478 add French language to fax. Thank you tomarch

................

r10204 | mbrevda | 2010-08-02 14:32:51 -0700 (Mon, 02 Aug 2010) | 1 line

closes #4474. Fix for IE users. Guys, GET WITH THE TIMES!!

................

r10205 | mbrevda | 2010-08-02 14:33:23 -0700 (Mon, 02 Aug 2010) | 1 line

Module Publish Script: dashboard 2.8.0.3

................

r10223 | mickecarlsson | 2010-08-23 09:08:37 -0700 (Mon, 23 Aug 2010) | 1 line

Re #4506 updated russian language for queues. Thank you ded

................

r10239 | p_lindheimer | 2010-09-03 12:34:04 -0700 (Fri, 03 Sep 2010) | 1 line

remove deprecated split in dialparties.agi re #4401

................

r10245 | mickecarlsson | 2010-09-06 22:17:14 -0700 (Mon, 06 Sep 2010) | 1 line

Close #4529, add Chinese language to fax module. Thank you voip88_chris

................

r10257 | p_lindheimer | 2010-09-13 12:41:09 -0700 (Mon, 13 Sep 2010) | 1 line

Module Publish Script: disa 2.8.0.1

................

r10263 | p_lindheimer | 2010-09-14 14:24:53 -0700 (Tue, 14 Sep 2010) | 1 line

fixes #4525 allow w (pause) in trunk prepends - still interested in the scenarios that this is needed

................

r10265 | p_lindheimer | 2010-09-14 14:59:21 -0700 (Tue, 14 Sep 2010) | 9 lines

Merged revisions 10264 via svnmerge from http://svn.freepbx.org/modules/branches/2.7

........

r10264 | p_lindheimer | 2010-09-14 14:57:06 -0700 (Tue, 14 Sep 2010) | 1 line

fixes #4507 allow ';' characters in secrets

........

................

r10266 | p_lindheimer | 2010-09-14 15:03:54 -0700 (Tue, 14 Sep 2010) | 1 line

fixes #4502 allow 9 matches

................

r10267 | p_lindheimer | 2010-09-14 15:18:58 -0700 (Tue, 14 Sep 2010) | 1 line

fixes #4499 remove leading '&' from a device as previsous (and maybe current) versions sometimes put it there

................

r10269 | p_lindheimer | 2010-09-14 16:59:40 -0700 (Tue, 14 Sep 2010) | 1 line

closes #4484 so that sercid subroutines function properly when follow-me/ringgroups are called from a queue

................

r10270 | p_lindheimer | 2010-09-15 16:26:40 -0700 (Wed, 15 Sep 2010) | 1 line

Module Publish Script: findmefollow 2.8.0.4

................

r10271 | p_lindheimer | 2010-09-15 16:26:49 -0700 (Wed, 15 Sep 2010) | 1 line

Module Publish Script: backup 2.8.0.7

................

r10272 | p_lindheimer | 2010-09-15 16:26:57 -0700 (Wed, 15 Sep 2010) | 1 line

Module Publish Script: ringgroups 2.8.0.2

................

r10273 | p_lindheimer | 2010-09-15 16:27:06 -0700 (Wed, 15 Sep 2010) | 1 line

Module Publish Script: directory 2.8.0.0

................

r10275 | p_lindheimer | 2010-09-15 16:27:17 -0700 (Wed, 15 Sep 2010) | 1 line

Module Publish Script: core 2.8.0.3

................

r10276 | p_lindheimer | 2010-09-15 16:27:32 -0700 (Wed, 15 Sep 2010) | 1 line

Module Publish Script: fw_ari 2.8.0.5

................

r10277 | p_lindheimer | 2010-09-15 16:27:59 -0700 (Wed, 15 Sep 2010) | 1 line

Module Publish Script: framework 2.8.0.3

................

r10278 | p_lindheimer | 2010-09-15 16:43:50 -0700 (Wed, 15 Sep 2010) | 9 lines

Merged revisions 10196 via svnmerge from http://svn.freepbx.org/modules/branches/2.7

........

r10196 | GameGamer?43 | 2010-07-27 09:33:52 -0700 (Tue, 27 Jul 2010) | 1 line

closes #4473 - updates the mindterm.jar to the latest version as put out by AppGate?

........

................

r10279 | p_lindheimer | 2010-09-15 16:44:40 -0700 (Wed, 15 Sep 2010) | 1 line

Module Publish Script: javassh 2.8.0.1

................