On 12:14, Fri 17 Feb 06, Colin Anderson wrote: > In the example I posted previous, there is an obvious gaping security hole, > it would be trivial for someone to read the querystring and exploit it to > make free phone calls, spoof caller ID (if you allow the CallerID to be set > with a QueryString value), etc. You want to make damn sure that the URL is > not publicly accessible or somehow obsfucate the querystring, or use POST. > > In my case, I hard-code the destination phone numbers into the context so > even if the script gets exploited all they can do is call a single guy.
gheh, I was just about to warn this list about that ;) What I did was use a seperate context for it and only allow calls to predifined "agents". In the OP's case, they can make a context which only allows the agent phone nr's on one leg of the call :) Good luck with the setup -- Michiel van Baak http://michiel.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?" _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
