[OpenSER-Devel] SF.net SVN: openser: [2852] trunk
Daniel-Constantin Mierla
daniel at voice-system.ro
Wed Oct 17 11:23:34 CEST 2007
Hello,
On 10/17/07 11:38, Henning Westerholt wrote:
> On Thursday 04 October 2007, Daniel-Constantin Mierla wrote:
>
>> Revision: 2852
>> http://openser.svn.sourceforge.net/openser/?rev=2852&view=rev
>> Author: miconda
>> Date: 2007-10-04 06:22:45 -0700 (Thu, 04 Oct 2007)
>>
>> Log Message:
>> -----------
>> - new PV: $adu - auth digest uri - the uri from auth credentials
>> - useful to tighten the security checks (can be now compared with To/R-URI
>> to see if it is intended destination used to compose the digest response) -
>> reported by Radu State
>>
>
> Some further informations for the archives:
>
> This is the issue described in CVE-2007-5469:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5469?
>
> More explanations:
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2007-October/066581.html
>
For older versions (>=1.0.0) the solution would be:
- write the body if Authorization/Proxy-Authorization header in an AVP
via avp_printf()
- do an avp_subst() and substract the value of the digest URI in another
AVP
- use avp_check() to check it against R-URI
The solution of letting the check in config file is to give more liberty
in performing it. Imagine that the proxies are behind a load balancer,
and the R-URI is changed by the LB, in that case all auth will fail. The
admin can add the initial R-URI in a special header at LB and in the
proxy compare that value with the digest URI. Embedding this check in
auth modules seemed too rigid.
Cheers,
Daniel
> Cheers,
>
> Henning
>
>
>
More information about the Devel
mailing list