-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I have a security matter with my configuration (default one), it's possible to register using login/password and to set anything in the contact field. So if you have an account 106/password, it's possible to be 105 in the location database!
How is it possible to deny that kind of matter..? Thanks
Is it useful to use: method_filtering of the REGISTRAR module Or is it better to so something whith the values below and a compare function?? $ct - reference to body of contact header $ar - realm from Authorization or Proxy-Authorization header $au - username from Authorization or Proxy-Authorization header
if ($ct != $au@$ar) { sl_send_reply("403", "User and login must be the same"); };
Best Regards,
Marc LEURENT
# U 82.127.0.79:1045 -> 88.191.45.91:5060 REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0. Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420. From: sip:105@sd-7501.dedibox.fr:5060;user=phone;tag=c0a80101-38c0e7. To: sip:105@sd-7501.dedibox.fr:5060;user=phone. Call-ID: 29eb6e9-c0a80101-5-17@192.168.95.70. CSeq: 90 REGISTER. Max-Forwards: 70. Expires: 3600. Contact: sip:105@82.127.0.79:1046;user=phone. Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr", response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001. User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4. Allow-Events: refer,dialog,message-summary,check-sync,talk,hold. Content-Length: 0. .
AOR:: 105 Contact:: sip:105@82.127.0.79:1046;user=phone Q= Expires:: 194 Callid:: 29eb6e9-c0a80101-5-17@192.168.95.70 Cseq:: 92 User-agent:: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4 Received:: sip:82.127.0.79:1045 State:: CS_SYNC Flags:: 0 Cflag:: 192 Socket:: udp:88.191.45.91:5060 Methods:: 4294967295
Hi Marc,
The problem is not the contact, but the From-Header. The From-Header contains the username, which registers. The Contact Header (according to RFC 3261) must be a valid URI, that's all (e.g. some CPE's put sip:<ip-address>:line=xyz in contact).
Carsten
Am Donnerstag, den 06.09.2007, 12:01 +0200 schrieb Marc LEURENT:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I have a security matter with my configuration (default one), it's possible to register using login/password and to set anything in the contact field. So if you have an account 106/password, it's possible to be 105 in the location database!
How is it possible to deny that kind of matter..? Thanks
Is it useful to use: method_filtering of the REGISTRAR module Or is it better to so something whith the values below and a compare function?? $ct - reference to body of contact header $ar - realm from Authorization or Proxy-Authorization header $au - username from Authorization or Proxy-Authorization header
if ($ct != $au@$ar) { sl_send_reply("403", "User and login must be the same"); };
Best Regards,
Marc LEURENT
# U 82.127.0.79:1045 -> 88.191.45.91:5060 REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0. Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420. From: sip:105@sd-7501.dedibox.fr:5060;user=phone;tag=c0a80101-38c0e7. To: sip:105@sd-7501.dedibox.fr:5060;user=phone. Call-ID: 29eb6e9-c0a80101-5-17@192.168.95.70. CSeq: 90 REGISTER. Max-Forwards: 70. Expires: 3600. Contact: sip:105@82.127.0.79:1046;user=phone. Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr", response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001. User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4. Allow-Events: refer,dialog,message-summary,check-sync,talk,hold. Content-Length: 0. .
AOR:: 105 Contact:: sip:105@82.127.0.79:1046;user=phone Q= Expires:: 194 Callid:: 29eb6e9-c0a80101-5-17@192.168.95.70 Cseq:: 92 User-agent:: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4 Received:: sip:82.127.0.79:1045 State:: CS_SYNC Flags:: 0 Cflag:: 192 Socket:: udp:88.191.45.91:5060 Methods:: 4294967295-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG39AIqjpLE0HiOBYRAiUKAJ9Ilv+Zpbzw89tqWgwmHyVjU/DXugCgjEh8 5XQKEAeiF/L4RWszGC2/yzQ= =SXE9 -----END PGP SIGNATURE-----
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Even there.. how to deny it with openser! Cirpack can do it, for example if I put another a contact name different of my auth name, it replies an error! It prevents another person to receive your calls!!
Look, you have in From and Contact header the user 105
From: sip:105@sd-7501.dedibox.fr:5060;user=phone;tag=c0a80101-38c0e7.
but my user is the 106 user
Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr", response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001.
# U 82.127.0.79:1045 -> 88.191.45.91:5060 REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0. Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420. From: sip:105@sd-7501.dedibox.fr:5060;user=phone;tag=c0a80101-38c0e7. To: sip:105@sd-7501.dedibox.fr:5060;user=phone. Call-ID: 29eb6e9-c0a80101-5-17@192.168.95.70. CSeq: 90 REGISTER. Max-Forwards: 70. Expires: 3600. Contact: sip:105@82.127.0.79:1046;user=phone. Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr", response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001. User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4. Allow-Events: refer,dialog,message-summary,check-sync,talk,hold. Content-Length: 0.
Carsten Bock a écrit :
Hi Marc,
The problem is not the contact, but the From-Header. The From-Header contains the username, which registers. The Contact Header (according to RFC 3261) must be a valid URI, that's all (e.g. some CPE's put sip:<ip-address>:line=xyz in contact).
Carsten
Am Donnerstag, den 06.09.2007, 12:01 +0200 schrieb Marc LEURENT: I have a security matter with my configuration (default one), it's possible to register using login/password and to set anything in the contact field. So if you have an account 106/password, it's possible to be 105 in the location database!
How is it possible to deny that kind of matter..? Thanks
Is it useful to use: method_filtering of the REGISTRAR module Or is it better to so something whith the values below and a compare function?? $ct - reference to body of contact header $ar - realm from Authorization or Proxy-Authorization header $au - username from Authorization or Proxy-Authorization header
if ($ct != $au@$ar) { sl_send_reply("403", "User and login must be the same"); };
Best Regards,
Marc LEURENT
# U 82.127.0.79:1045 -> 88.191.45.91:5060 REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0. Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420. From: sip:105@sd-7501.dedibox.fr:5060;user=phone;tag=c0a80101-38c0e7. To: sip:105@sd-7501.dedibox.fr:5060;user=phone. Call-ID: 29eb6e9-c0a80101-5-17@192.168.95.70. CSeq: 90 REGISTER. Max-Forwards: 70. Expires: 3600. Contact: sip:105@82.127.0.79:1046;user=phone. Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr", response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001. User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4. Allow-Events: refer,dialog,message-summary,check-sync,talk,hold. Content-Length: 0. .
AOR:: 105 Contact:: sip:105@82.127.0.79:1046;user=phone Q= Expires:: 194 Callid:: 29eb6e9-c0a80101-5-17@192.168.95.70 Cseq:: 92 User-agent:: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4 Received:: sip:82.127.0.79:1045 State:: CS_SYNC Flags:: 0 Cflag:: 192 Socket:: udp:88.191.45.91:5060 Methods:: 4294967295
_______________________________________________ Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hi Marc,
In OpenSER 1.2, you could add something like
if ($au != $fU) { sl_send_reply("403", "Screening failed"); }
$au = Authorization Username $fU = Username in the From-SIP-URI
i believe, in former versions of OpenSER there was a function for this, but i don't remember.
Carsten
Am Donnerstag, den 06.09.2007, 12:39 +0200 schrieb Marc LEURENT:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Even there.. how to deny it with openser! Cirpack can do it, for example if I put another a contact name different of my auth name, it replies an error! It prevents another person to receive your calls!!
Look, you have in From and Contact header the user 105
From: sip:105@sd-7501.dedibox.fr:5060;user=phone;tag=c0a80101-38c0e7.
but my user is the 106 user
Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr", response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001.
# U 82.127.0.79:1045 -> 88.191.45.91:5060 REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0. Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420. From: sip:105@sd-7501.dedibox.fr:5060;user=phone;tag=c0a80101-38c0e7. To: sip:105@sd-7501.dedibox.fr:5060;user=phone. Call-ID: 29eb6e9-c0a80101-5-17@192.168.95.70. CSeq: 90 REGISTER. Max-Forwards: 70. Expires: 3600. Contact: sip:105@82.127.0.79:1046;user=phone. Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr", response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001. User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4. Allow-Events: refer,dialog,message-summary,check-sync,talk,hold. Content-Length: 0.
Carsten Bock a écrit :
Hi Marc,
The problem is not the contact, but the From-Header. The From-Header contains the username, which registers. The Contact Header (according to RFC 3261) must be a valid URI, that's all (e.g. some CPE's put sip:<ip-address>:line=xyz in contact).
Carsten
Am Donnerstag, den 06.09.2007, 12:01 +0200 schrieb Marc LEURENT: I have a security matter with my configuration (default one), it's possible to register using login/password and to set anything in the contact field. So if you have an account 106/password, it's possible to be 105 in the location database!
How is it possible to deny that kind of matter..? Thanks
Is it useful to use: method_filtering of the REGISTRAR module Or is it better to so something whith the values below and a compare function?? $ct - reference to body of contact header $ar - realm from Authorization or Proxy-Authorization header $au - username from Authorization or Proxy-Authorization header
if ($ct != $au@$ar) { sl_send_reply("403", "User and login must be the same"); };
Best Regards,
Marc LEURENT
# U 82.127.0.79:1045 -> 88.191.45.91:5060 REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0. Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420. From: sip:105@sd-7501.dedibox.fr:5060;user=phone;tag=c0a80101-38c0e7. To: sip:105@sd-7501.dedibox.fr:5060;user=phone. Call-ID: 29eb6e9-c0a80101-5-17@192.168.95.70. CSeq: 90 REGISTER. Max-Forwards: 70. Expires: 3600. Contact: sip:105@82.127.0.79:1046;user=phone. Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr", response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001. User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4. Allow-Events: refer,dialog,message-summary,check-sync,talk,hold. Content-Length: 0. .
AOR:: 105 Contact:: sip:105@82.127.0.79:1046;user=phone Q= Expires:: 194 Callid:: 29eb6e9-c0a80101-5-17@192.168.95.70 Cseq:: 92 User-agent:: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4 Received:: sip:82.127.0.79:1045 State:: CS_SYNC Flags:: 0 Cflag:: 192 Socket:: udp:88.191.45.91:5060 Methods:: 4294967295
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG39j0qjpLE0HiOBYRAlmQAJoDVJpStaoD/9SwcyJ3Yg27S1k1VwCgo4RD oiS5S+tLQB/Pwqt6hOpkyxY= =/x6c -----END PGP SIGNATURE-----
This is an old problem - often called registration hijacking.
After authentication, use check_to() for REGISTER and check_from() for all other SIP requests.
regards klaus
Marc LEURENT schrieb:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I have a security matter with my configuration (default one), it's possible to register using login/password and to set anything in the contact field. So if you have an account 106/password, it's possible to be 105 in the location database!
How is it possible to deny that kind of matter..? Thanks
Is it useful to use: method_filtering of the REGISTRAR module Or is it better to so something whith the values below and a compare function?? $ct - reference to body of contact header $ar - realm from Authorization or Proxy-Authorization header $au - username from Authorization or Proxy-Authorization header
if ($ct != $au@$ar) { sl_send_reply("403", "User and login must be the same"); };
Best Regards,
Marc LEURENT
# U 82.127.0.79:1045 -> 88.191.45.91:5060 REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0. Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420. From: sip:105@sd-7501.dedibox.fr:5060;user=phone;tag=c0a80101-38c0e7. To: sip:105@sd-7501.dedibox.fr:5060;user=phone. Call-ID: 29eb6e9-c0a80101-5-17@192.168.95.70. CSeq: 90 REGISTER. Max-Forwards: 70. Expires: 3600. Contact: sip:105@82.127.0.79:1046;user=phone. Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr", response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001. User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4. Allow-Events: refer,dialog,message-summary,check-sync,talk,hold. Content-Length: 0. .
AOR:: 105 Contact:: sip:105@82.127.0.79:1046;user=phone Q= Expires:: 194 Callid:: 29eb6e9-c0a80101-5-17@192.168.95.70 Cseq:: 92 User-agent:: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4 Received:: sip:82.127.0.79:1045 State:: CS_SYNC Flags:: 0 Cflag:: 192 Socket:: udp:88.191.45.91:5060 Methods:: 4294967295-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG39AIqjpLE0HiOBYRAiUKAJ9Ilv+Zpbzw89tqWgwmHyVjU/DXugCgjEh8 5XQKEAeiF/L4RWszGC2/yzQ= =SXE9 -----END PGP SIGNATURE-----
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Klaus Darilion wrote:
This is an old problem - often called registration hijacking.
Some call it a feature: 3rd party registration ;-)
/Christian
After authentication, use check_to() for REGISTER and check_from() for all other SIP requests.
regards klaus
Marc LEURENT schrieb:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I have a security matter with my configuration (default one), it's possible to register using login/password and to set anything in the contact field. So if you have an account 106/password, it's possible to be 105 in the location database!
How is it possible to deny that kind of matter..? Thanks
Is it useful to use: method_filtering of the REGISTRAR module Or is it better to so something whith the values below and a compare function?? $ct - reference to body of contact header $ar - realm from Authorization or Proxy-Authorization header $au - username from Authorization or Proxy-Authorization header
if ($ct != $au@$ar) { sl_send_reply("403", "User and login must be the same"); };
Best Regards,
Marc LEURENT
# U 82.127.0.79:1045 -> 88.191.45.91:5060 REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0. Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420. From: sip:105@sd-7501.dedibox.fr:5060;user=phone;tag=c0a80101-38c0e7. To: sip:105@sd-7501.dedibox.fr:5060;user=phone. Call-ID: 29eb6e9-c0a80101-5-17@192.168.95.70. CSeq: 90 REGISTER. Max-Forwards: 70. Expires: 3600. Contact: sip:105@82.127.0.79:1046;user=phone. Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr", response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001. User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4. Allow-Events: refer,dialog,message-summary,check-sync,talk,hold. Content-Length: 0. .
AOR:: 105 Contact:: sip:105@82.127.0.79:1046;user=phone Q= Expires:: 194 Callid:: 29eb6e9-c0a80101-5-17@192.168.95.70 Cseq:: 92 User-agent:: THOMSON ST2030 hw0 fw1.5600-0E-50-4E-AF-C4 Received:: sip:82.127.0.79:1045 State:: CS_SYNC Flags:: 0 Cflag:: 192 Socket:: udp:88.191.45.91:5060 Methods:: 4294967295
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG39AIqjpLE0HiOBYRAiUKAJ9Ilv+Zpbzw89tqWgwmHyVjU/DXugCgjEh8 5XQKEAeiF/L4RWszGC2/yzQ= =SXE9 -----END PGP SIGNATURE-----
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
On 09/06/07 15:40, Christian Schlatter wrote:
Klaus Darilion wrote:
This is an old problem - often called registration hijacking.
Some call it a feature: 3rd party registration ;-)
indeed, to make everybody happy, the solution is provided by uri_db/check_from(), as stated in this thread. By that, any user can set a list of other users that can do registrations in its behalf, that's uri table for.
Daniel
/Christian
After authentication, use check_to() for REGISTER and check_from() for all other SIP requests.
regards klaus
Marc LEURENT schrieb:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I have a security matter with my configuration (default one), it's possible to register using login/password and to set anything in the contact field. So if you have an account 106/password, it's possible to be 105 in the location database!
How is it possible to deny that kind of matter..? Thanks
Is it useful to use: method_filtering of the REGISTRAR module Or is it better to so something whith the values below and a compare function?? $ct - reference to body of contact header $ar - realm from Authorization or Proxy-Authorization header $au - username from Authorization or Proxy-Authorization header
if ($ct != $au@$ar) { sl_send_reply("403", "User and login must be the same"); };
Best Regards,
Marc LEURENT
# U 82.127.0.79:1045 -> 88.191.45.91:5060 REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0. Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420. From: sip:105@sd-7501.dedibox.fr:5060;user=phone;tag=c0a80101-38c0e7. To: sip:105@sd-7501.dedibox.fr:5060;user=phone. Call-ID: 29eb6e9-c0a80101-5-17@192.168.95.70. CSeq: 90 REGISTER. Max-Forwards: 70. Expires: 3600. Contact: sip:105@82.127.0.79:1046;user=phone. Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr", response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001. User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4. Allow-Events: refer,dialog,message-summary,check-sync,talk,hold. Content-Length: 0. .
AOR:: 105 Contact:: sip:105@82.127.0.79:1046;user=phone Q= Expires:: 194 Callid:: 29eb6e9-c0a80101-5-17@192.168.95.70 Cseq:: 92 User-agent:: THOMSON ST2030 hw0 fw1.5600-0E-50-4E-AF-C4 Received:: sip:82.127.0.79:1045 State:: CS_SYNC Flags:: 0 Cflag:: 192 Socket:: udp:88.191.45.91:5060 Methods:: 4294967295
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG39AIqjpLE0HiOBYRAiUKAJ9Ilv+Zpbzw89tqWgwmHyVjU/DXugCgjEh8 5XQKEAeiF/L4RWszGC2/yzQ= =SXE9 -----END PGP SIGNATURE-----
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hi, sorry but what matter the content in Contact header, admitting that it is a valid URI?? The CPE can be behind nat and do not have the same parameters of the registration to be reached. I think the problem is to ensure that the From and To that form the AOR that the client is about to register is allowed for that client. In my config i have multiple numbers that can be assigned to a single CPE and i use AVP to check that username used is allowed to register that AOR. If i'm not wrong the contact is posted in the INVITE after the lookup of the AOR on the proxy, so you cannot receive calls of some one else if you check the authentication correspond to AOR enabled to register with that authentication. Another issue is that some crap phones put URI not valid in the contact like:
http://x.x.x.x https:/x.x.x.x
Or something like this. There is a way to check the validity of the URI before allow the registration??
Thanks, Bye, Marcello
Daniel-Constantin Mierla wrote:
On 09/06/07 15:40, Christian Schlatter wrote:
Klaus Darilion wrote:
This is an old problem - often called registration hijacking.
Some call it a feature: 3rd party registration ;-)
indeed, to make everybody happy, the solution is provided by uri_db/check_from(), as stated in this thread. By that, any user can set a list of other users that can do registrations in its behalf, that's uri table for.
Daniel
/Christian
After authentication, use check_to() for REGISTER and check_from() for all other SIP requests.
regards klaus
Marc LEURENT schrieb:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I have a security matter with my configuration (default one), it's possible to register using login/password and to set anything in the contact field. So if you have an account 106/password, it's possible to be 105 in the location database!
How is it possible to deny that kind of matter..? Thanks
Is it useful to use: method_filtering of the REGISTRAR module Or is it better to so something whith the values below and a compare function?? $ct - reference to body of contact header $ar - realm from Authorization or Proxy-Authorization header $au - username from Authorization or Proxy-Authorization header
if ($ct != $au@$ar) { sl_send_reply("403", "User and login must be the same"); };
Best Regards,
Marc LEURENT
-
Carsten Bock -
Christian Schlatter -
Daniel-Constantin Mierla -
Klaus Darilion -
Marc LEURENT -
Marcello Lupo