Yes, you are absolutely right! I realised later that it isn't that simple to parse addresses.
However, it occurred to me that I have the wrong approach - I guess that in most cases, a person will hardly want to fake their address so that you will actually try and authenticate them! I couldn't think of any reason why making ser think a message is from our domain (especially when you would then go and challenge them) is to someone's advantage.
More likely the opposite is the case. A sender might want to claim to be in our domain but have SER miss that fact. Is SIP spam a problem yet?! So the code:
# if sender claims to be in our domain in From header field.... if (search("(f|From): .*@mydomain.com)) { if (!proxy_auth.....
should be ok! Sorry, I've done a lot of QA work, I try and find holes in everything :-)
However it is true that finding a full email address within a header can be harder than it seems at first glance. RFC822 allows all sorts of ugly things like:
< eli(Elijah)@netusa(not associated with usa.net).net >
( Taken from http://www.faqs.org/faqs/mail/addressing/ which is quite interesting. There are much scarier examples there too. Serusers pipermail list will probably play with the above btw. )
I do not yet know if SIP allows addresses in this particular form. I will look it up. But if so, then some extra functions might be needed in, say, textops module to do matching. You cannot (easily?) match full rfc822 addresses with a regexp...
All this is probably just "interesting", rather than being of practical concern :-)
Conor.
From: Nils Ohlmeier Subject: Re: [Serusers] From/To vunerability
Hi Conor,
see inline
On Friday 10 December 2004 17:49, Bob Cat wrote:
I've noticed most scripts checking from and to parts are somewhat
flawed.
Eg:
# if sender claims to be in our domain in From header field.... if (search("(f|From): .*@mydomain.com)) { .... };
Looks ok right? Not really - I'll explain why.
I wanted my REGISTER request's host part to match my realm exactly to avoid uri==myself matching and then the above example not matching. A user could register @sipserver.mydomain.com and it would be accepted. They'd be from our domain but without a check. So I did this:
if (method=="REGISTER") { if (search("^To: .*@mydomain.com")) { authenticate } else { no thanks }
But, this can be spoofed by setting a name (eg in kphone) with a domain part. The To part of the sip register message will then look like this:
To: "Hello @mydomain.com" sip:2001@sipserver.mydomain.com
And it will match. Bummer. Use check_to (I hope the parsing of this
field
is accurate, I might take a look at the source!), or use a regexp like:
search("^To: .*sip:[^@]+@mydomain.com");
Hope that does it.
To: "regexp fake sip:foobar@mydomain" sip:2001@sipserver.mydomain.com
Just my 2 cents :-)
Greetings Nils
_________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.com/