[Devel] authentication issue
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Wed Mar 29 17:12:15 CEST 2006
Hi Juha,
A first question (haven't check it against RFC), but is it allow to have
user at domain is the username attribute?
regards,
bogdan
Juha Heinanen wrote:
>one user managed to send an invite that had From URI sip:foo at X and in
>Proxy-Authorization header username=bar at Y and realm=X.
>
>auth module checks that P-A realm matches From URI host part. when
>uri_radius module sends out radius authentication request, it takes
>A_DIGEST_USER_NAME value from P-A header username if it has domain part,
>which in the example is bar at Y. otherwise it takes user from username
>and domain from realm.
>
>the problem is that user username=foo at Y may indeed exist with matching
>password, and that user may have URI with user part foo, but not in
>domain X as advertised by From URI.
>
>this looks like a quite serious bug to me. possible fixes:
>
>(1) always take A_DIGEST_USER_NAME domain from realm.
>
>(2) if digest username has domain, check that it matches realm and if
> not, issue an error.
>
>comments?
>
>-- juha
>
>
>
>
>_______________________________________________
>Devel mailing list
>Devel at openser.org
>http://openser.org/cgi-bin/mailman/listinfo/devel
>
>
>
More information about the Devel
mailing list