Posted: Thu Nov 29, 2007 11:18 pm Post subject: [asterisk-announce] AST-2007-025 - SQL Injection issue in re
Asterisk Project Security Advisory - AST-2007-025
+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | SQL Injection issue in res_config_pgsql |
|----------------------+-------------------------------------------------|
| Nature of Advisory | SQL Injection |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------+-------------------------------------------------|
| Severity | Moderate |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | November 29, 2007 |
|----------------------+-------------------------------------------------|
| Reported By | P. Chisteas <p_christ AT hol DOT gr> |
|----------------------+-------------------------------------------------|
| Posted On | November 29, 2007 |
|----------------------+-------------------------------------------------|
| Last Updated On | November 29, 2007 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------+-------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | Input buffers were not properly escaped when providing |
| | lookup data to the Postgres Realtime Engine. An attacker |
| | could potentially compromise the administrative database |
| | containing users' usernames and passwords used for SIP |
| | authentication, among other things. |
| | |
| | This module is not active by default and must be |
| | configured for use by the administrator. Default |
| | installations of Asterisk are not affected. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Workaround | Convert your installation to use res_config_odbc with the |
| | PgsqlODBC driver. This module provides similar |
| | functionality but is not vulnerable. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to Asterisk release 1.4.15 or higher. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+------------------------+-----------------------------|
| 2007-11-29 | Tilghman Lesher | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2007-025
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum