28 Jul
2004
28 Jul
'04
3:01 p.m.
On Wed, 28 Jul 2004, Bogdan-Andrei IANCU wrote:
zolia(a)z1sys.com wrote:
yes probably, is would work only in real time, ie.
to write some small
proxy, which rewrites authorization header putting in in parallel sniffed
encrypted password. Its a bit harder..
hello,
is it possible to do source ip authentication besides normal
www_authorize() for every user account?. This, as i understand, should
prevent from intercepting credentials and later faking sip message to
bypass www_authorization ?
this doesn't work. for each authentication challenge, ser generates an
noun that is kept into memory for a short period of time. So, this kind
of exploit is very limited - only if somebody trys in real time to do it
and in very narrow time window. IP checking doesn't help you - they can be also
spoof. Plus, against
what address you check when the user register for the first time? or if
What do you
mean by "first time"? If there are only one IP from which UA
requests MUST originate, then it should be possible to check it.
the user use multiple client in the same time?
This would not be possible in our scenario.
Antanas
bogdan
Or maybe there are some other counter measures
against such fraud?
Does src_ip comes directly from ip layer? If so, i could probably use this
to check with some external database (ie. ser subscriber)?
Antanas
NTT
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers