Asterisk/FreePBX dial plan injection vulnerability

There is an interesting discussion on the PBX-in-a-Flash forums here regarding an Asterisk security announcement.

If you write custom Asterisk contexts outside of FreePBX then you should read through how to do this securely. You should not be using wildcard pattern matching as this could be used to create channels in a manner not intended.

Also raised is the potential of a Asterisk/FreePBX system being compromised via the Asterisk Recording Interface (ARI). This is the web interface that allows you to view and manage voicemails. If you do not use this feature of FreePBX it is strongly recommended that you remove access to it. This can be done simply by running the following command as root on systems with standard configuration –

chmod 000 /var/www/html/recordings

This will prevent the ARI being accessible via a browser.

If you would like more information regarding Asterisk diaplan security please see the following resources –

http://www.asterisk.org/node/49906
http://downloads.asterisk.org/pub/security/AST-2010-002.html
http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt
http://www.freepbx.org/forum/freepbx/users/dial-plan-injection-vulnerability

Also, always use complex and difficult-to-guess passwords in all areas when setting up Asterisk/FreePBX

If you have a sysadminman VPS and would like the ARI interface disabling please raise a ticket via the helpdesk.

As always thanks to Ward Mundy and Joe Roper who make a great contribution to the Asterisk community.