11 Dec
2004
11 Dec
'04
7:01 p.m.
Yes, you are absolutely right! I realised later that it isn't that simple to
parse addresses.
However, it occurred to me that I have the wrong approach - I guess that in
most cases,
a person will hardly want to fake their address so that you will actually
try and authenticate
them! I couldn't think of any reason why making ser think a message is from
our domain
(especially when you would then go and challenge them) is to someone's
advantage.
More likely the opposite is the case. A sender might want to claim to be in
our domain
but have SER miss that fact. Is SIP spam a problem yet?!
So the code:
# if sender claims to be in our domain in From header field....
if (search("(f|From): .*(a)mydomain.com)) {
if (!proxy_auth.....
should be ok! Sorry, I've done a lot of QA work, I try and find holes in
everything :-)
However it is true that finding a full email address within a header can be
harder than
it seems at first glance. RFC822 allows all sorts of ugly things like:
< eli(Elijah)@netusa(not associated with usa.net).net >
( Taken from http://www.faqs.org/faqs/mail/addressing/ which is quite
interesting. There
are much scarier examples there too.
Serusers pipermail list will probably play with the above btw. )
I do not yet know if SIP allows addresses in this particular form. I will
look it up. But if so,
then some extra functions might be needed in, say, textops module to do
matching.
You cannot (easily?) match full rfc822 addresses with a regexp...
All this is probably just "interesting", rather than being of practical
concern :-)
Conor.
From: Nils Ohlmeier
Subject: Re: [Serusers] From/To vunerability
Hi Conor,
see inline
On Friday 10 December 2004 17:49, Bob Cat wrote:
_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.com/
I've noticed most scripts checking from and
to parts are somewhat
flawed.
Eg:
# if sender claims to be in our domain in From header field....
if (search("(f|From): .*(a)mydomain.com)) {
....
};
Looks ok right? Not really - I'll explain why.
I wanted my REGISTER request's host part to match my realm exactly to
avoid uri==myself matching and then the above example not
matching. A user could register @sipserver.mydomain.com and it would be
accepted. They'd be from our domain but without a check. So I did this:
if (method=="REGISTER") {
if (search("^To: .*(a)mydomain.com"))
{ authenticate }
else { no thanks }
But, this can be spoofed by setting a name (eg in kphone) with a domain
part.
The To part of the sip register message will then look like this:
To: "Hello @mydomain.com" <sip:2001@sipserver.mydomain.com>
And it will match. Bummer. Use check_to (I hope the parsing of this
field
is accurate,
I might take a look at the source!), or use a regexp like:
search("^To: .*sip:[^@]+@mydomain.com");
Hope that does it.
To: "regexp fake sip:foobar@mydomain" <sip:2001@sipserver.mydomain.com>
Just my 2 cents :-)
Greetings
Nils