Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

AST-2007-025 - SQL Injection issue in res_config_pgsql
From: Asterisk Security Team <security () asterisk org>
Date: Thu, 29 Nov 2007 17:11:06 -0600

               Asterisk Project Security Advisory - AST-2007-025

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | SQL Injection issue in res_config_pgsql         |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | SQL Injection                                   |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Moderate                                        |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | November 29, 2007                               |
   |----------------------+-------------------------------------------------|
   |     Reported By      | P. Chisteas <p_christ AT hol DOT gr>            |
   |----------------------+-------------------------------------------------|
   |      Posted On       | November 29, 2007                               |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | November 29, 2007                               |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Tilghman Lesher <tlesher AT digium DOT com>     |
   |----------------------+-------------------------------------------------|
   |       CVE Name       | CVE-2007-6171                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Input buffers were not properly escaped when providing   |
   |             | lookup data to the Postgres Realtime Engine. An attacker |
   |             | could potentially compromise the administrative database |
   |             | containing users' usernames and passwords used for SIP   |
   |             | authentication, among other things.                      |
   |             |                                                          |
   |             | This module is not active by default and must be         |
   |             | configured for use by the administrator. Default         |
   |             | installations of Asterisk are not affected.              |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Workaround | Convert your installation to use res_config_odbc with the |
   |            | PgsqlODBC driver. This module provides similar            |
   |            | functionality but is not vulnerable.                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |    Resolution    | Upgrade to Asterisk release 1.4.15 or higher.       |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |   Release   |                             |
   |                            |   Series    |                             |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.0.x    | None                        |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.2.x    | None                        |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.4.x    | 1.4.14 and previous         |
   |                            |             | versions                    |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    A.x.x    | None                        |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    B.x.x    | None                        |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    C.x.x    | C.1.0-beta5 and previous    |
   |                            |             | versions                    |
   |----------------------------+-------------+-----------------------------|
   |        AsteriskNOW         | pre-release | None                        |
   |----------------------------+-------------+-----------------------------|
   |     Asterisk Appliance     |    0.x.x    | None                        |
   |       Developer Kit        |             |                             |
   |----------------------------+-------------+-----------------------------|
   | s800i (Asterisk Appliance) |    1.0.x    | None                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                  Product                  |          Release           |
   |-------------------------------------------+----------------------------|
   |           Asterisk Open Source            |           1.4.15           |
   |-------------------------------------------+----------------------------|
   |         Asterisk Business Edition         |        C.1.0-beta6         |
   |-------------------------------------------+----------------------------|
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2007-025.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2007-025.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |     Date     |      Editor       |           Revisions Made            |
   |--------------+-------------------+-------------------------------------|
   | 2007-11-29   | Tilghman Lesher   | Initial release                     |
   |--------------+-------------------+-------------------------------------|
   | 2007-11-29   | Tilghman Lesher   | Added CVE number, ABE C version     |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2007-025
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault