From daniel@voice-system.ro Thu Oct 18 16:18:07 2007
From: Daniel-Constantin Mierla <daniel@voice-system.ro>
To: sr-users@lists.kamailio.org
Subject: Re: [OpenSER-Users] sanitizing sip requests
Date: Thu, 18 Oct 2007 17:26:59 +0300
Message-ID: <47176D33.3000801@voice-system.ro>
In-Reply-To: <47170FA8.3000409@pernau.at>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1288188472=="

--===============1288188472==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit



On 10/18/07 10:47, Klaus Darilion wrote:
>
>
> William Quan schrieb:
>> Hi all,
>> I came across a security alert that basically embeds javascript in the
>> display name of the From to initiate cross-site-scripting (XSS) attacks.
>> Here is an example:
>>
>> From: "<script>alert('hack')</script>""user"
>> <sip:user at domain.com 
>> <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>>;tag=002a000c 
>>
>
> Thats a cool attack. I fear there will be more smart attacks in the 
> next time.
cooler and cooler. My opinion is that the client should take care. I do 
not see any reason why an application will interpret the display or user 
name. It should be printed as it is. Same we can say may happen with the 
email, when the text message will be interpreted, but not just 
displayed. Would be funny to get compile errors or code executed when 
someone just gives a snippet in a message.

AFAIK, unless is need for escape/unescape, those values should be taken 
literally. Of course, having something in openser to detect/prevent 
would be nice, but just as an add-on. Don't forget that some headers 
bring nightmare after changing them -- although, in such cases, the 
caller device won't care too much :)

Cheers,
Daniel

>
> klaus
>
>> Grammatically , I don't see an issue with this. However, under the right
>> circumstances this could get ugly.
>> Do you see value in having openser take a proactive role to detect these
>> and reject calls?  Or is this outside the scope of what a proxy should
>> be doing (leave it to the UA to sanitize) ?
>>
>> Looking to get your thoughts-
>> -will
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users(a)openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>


--===============1288188472==--