[Serusers] From/To vunerability

I've noticed most scripts checking from and to parts are somewhat flawed. Eg: # if sender claims to be in our domain in From header field.... if (search("(f|From): .*(a)mydomain.com)) { .... }; Looks ok right? Not really - I'll explain why. I wanted my REGISTER request's host part to match my realm exactly to avoid uri==myself matching and then the above example not matching. A user could register @sipserver.mydomain.com and it would be accepted. They'd be from our domain but without a check. So I did this: if (method=="REGISTER") { if (search("^To: .*(a)mydomain.com&quot;)) { authenticate } else { no thanks } But, this can be spoofed by setting a name (eg in kphone) with a domain part. The To part of the sip register message will then look like this: To: "Hello @mydomain.com" <sip:2001@sipserver.mydomain.com> And it will match. Bummer. Use check_to (I hope the parsing of this field is accurate, I might take a look at the source!), or use a regexp like: search("^To: .*sip:[^@]+@mydomain.com"); Hope that does it. Conor. _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/