BID:26095

Asterisk 'asterisk-addons' CDR_ADDON_MYSQL Module SQL Injection Vulnerability

Info

Asterisk 'asterisk-addons' CDR_ADDON_MYSQL Module SQL Injection Vulnerability

Bugtraq ID:	26095
Class:	Input Validation Error
CVE:	CVE-2007-5488
Remote:	Yes
Local:	No
Published:	Oct 16 2007 12:00AM
Updated:	Oct 17 2007 06:37PM
Credit:	Humberto Abdelnur <[email protected]> is credited with the discovery of this vulnerability.
Vulnerable:	Asterisk Asterisk-addons 1.4.3 Asterisk Asterisk-addons 1.2.7

Not Vulnerable:	Asterisk Asterisk-addons 1.4.4 Asterisk Asterisk-addons 1.2.8

Discussion

Exploit / POC

Asterisk 'asterisk-addons' CDR_ADDON_MYSQL Module SQL Injection Vulnerability

An attacker can exploit this issue via a browser.

A proof of concept is available.

/data/vulnerabilities/exploits/asterisk_addons_sql.pl

Solution / Fix

Asterisk 'asterisk-addons' CDR_ADDON_MYSQL Module SQL Injection Vulnerability

Solution:
The vendor has released 'asterisk-addons' 1.2.8 and 1.4.4 to address this issue. Please contact the vendor for details.

Asterisk Asterisk-addons 1.4.3

Asterisk asterisk-addons-1.4.4.tar.gz
http://www.digium.com/elqNow/elqRedir.htm?ref=http://downloads.digium. com/pub/asterisk/asterisk-addons-1.4.4.tar.gz

References

Asterisk 'asterisk-addons' CDR_ADDON_MYSQL Module SQL Injection Vulnerability

References:

Asterisk Homepage (Asterisk)
AST-2007-023 - SQL Injection Vulnerabilty in cdr_addon_mysql (Asterisk Security Team )
Asterisk Project Security Advisory - AST-2007-023 (Asterisk)