[Devel] authentication issue
Juha Heinanen
jh at tutpro.com
Wed Mar 29 17:03:22 CEST 2006
one user managed to send an invite that had From URI sip:foo at X and in
Proxy-Authorization header username=bar at Y and realm=X.
auth module checks that P-A realm matches From URI host part. when
uri_radius module sends out radius authentication request, it takes
A_DIGEST_USER_NAME value from P-A header username if it has domain part,
which in the example is bar at Y. otherwise it takes user from username
and domain from realm.
the problem is that user username=foo at Y may indeed exist with matching
password, and that user may have URI with user part foo, but not in
domain X as advertised by From URI.
this looks like a quite serious bug to me. possible fixes:
(1) always take A_DIGEST_USER_NAME domain from realm.
(2) if digest username has domain, check that it matches realm and if
not, issue an error.
comments?
-- juha
More information about the Devel
mailing list