I think the answer is no though we would be welcome for people in the community to have a closer look at our dialplan to see if this or variations of this are possible on FreePBX.
Given the flexibility for customization, I would not be surprised if there were ways that ‘more advanced’ users could create such a vulnerability and there is no question that if they start putting customer dialplan at the ‘extensions.conf’ level they could.
In general, FreePBX always sends a call via a goto targeted at specific contexts. The closest vulnerability would be allowing anonymous sip calls. However in that case, here is the stock code that handles the calls:
exten => _.,n,Set(DID=${IF($["${EXTEN:1:2}"=""]?s:${EXTEN})})
exten => _.,n,Goto(s,1)
exten => s,1,GotoIf($["${ALLOW_SIP_ANON}"="yes"]?checklang:noanonymous)
exten => s,n(checklang),GotoIf($["${SIPLANG}"!=""]?setlanguage:from-trunk,${DID},1)
exten => s,n(setlanguage),Set(CHANNEL(language)=${SIPLANG})
exten => s,n,Goto(from-trunk,${DID},1)
The crux of that being the last statement effectively using the ${EXTEN} that came in from the call, so conceptually:
exten => _X.,n,Goto(from-trunk,${EXTEN},1)
However we are not doing a dial, you must explicitly have a context in from-trunk or included in from-trunk that can capture the value in ${EXTEN}. This is not like the passing it straight to the Dial() command where you can get the injection results described in the article.
So … I think we are safe but we are very welcome to having vulnerabilities pointed out so we can address them. It happens on a fairly regular basis with some of the security organizations who publish vulnerabilities out there.