On 15.05.17 14:14, Daniel Tryba wrote:
The save function from the registrar module uses the
To header to disect
and store the username for the location table according to observations
and documentation
http://www.kamailio.org/docs/modules/stable/modules/registrar.html#registra…
After troubleshooting a ticket from an enduser unable to receive calls
where all looked fine but the username used for authentication wasn't
showing up in the location database. Finally I found the REGISTER was
added to the location database, but not with the user its username,
instead it was using the username (phonenumber) specified in the To
header. Till now I always assumed that the username in the location
table would be the username used during authentication(*).
This opens the door to hijacking incoming calls to other users on the
same kamailio registrar if one knows/guesses other usernames and use
those in the To header.
SIP allows third party registrations. From header indicates
who performs
the registration. To header indicates for who is done the registration.
Auth username is the account/private identity associated with From. All
these three can be different in SIP. In kamailio, we check that all of
them are the same via the parameter options of auth_check().
If you give different public and private identities, then you need to
keep the relation between them and check there is a match, otherwise,
yes, I have an account on the same service with you, then I can register
my phone on your behalf. uri_db module is supposed to offer a
database-based solution, but you can use other modules (e.g., sqlops,
htable, ...).
This realisation is kind of shocking to me.
Contact IETF guys, Alex pointed the reason in the other email ;-)
The solution is simple (if authentication is required):
save("location", "0x00", "sip:$au@$rd");
*: which kind of answers my question in the subject, what else can be
used if there is no authentication required?
Cheers,
Daniel
--
Daniel-Constantin Mierla
www.twitter.com/miconda --
www.linkedin.com/in/miconda
Kamailio Advanced Training - May 22-24 (USA) -
www.asipto.com
Kamailio World Conference - May 8-10, 2017 -
www.kamailioworld.com