On Sun, 2006-08-27 at 08:56 -0500, Kevin P. Fleming wrote: > No, it is not. The input to app_record comes from the _administrator_, not > from a user. The administrator has complete and total control over what is > fed to app_record, and if they do something silly like allow untrusted data > from a user to be part of that input, then they can expect to be vulnerable.
But at the same time asterisk could use a built in sanity checker to escape various characters etc... ie protecting people from themselves... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Because e164.arpa is a tax on VoIP "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Security mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-security
