[OpenSER-Devel] [ openser-Bugs-1850882 ] [permissions] bug in default "register.deny"

SourceForge.net noreply at sourceforge.net
Mon Jul 7 13:43:56 CEST 2008

Bugs item #1850882, was opened at 2007-12-14 16:26
Message generated for change (Comment added) made by henningw
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Iaki Baz (ibc_sf)
>Assigned to: Henning Westerholt (henningw)
Summary: [permissions] bug in default "register.deny"

Initial Comment:
Hi, the file "register.deny" included in:

puts as example a gw with IP and a regular expresion:

  ALL : "^sip:.*1\.2\.3\.4$"

This is obviosly vulnerable because a malicious user could send a REGISTER with:

  Contact: <sip:PSTN_number at 1.2.0003.4>

And IP 1.2.0003.4 is the same as but wouldn't be matched by regular expression.

Because that I propose to set:

  ALL : "^sip:.*0*1\.0*2\.0*3\.0*4$"

to avoid any number of 0's.

And other thing, the phrase:
# (Don't forget to list also all hostnames that can
# be used to reach the PSTN gateway)

This is a false security recommendation since anyone can register a public domain pointing to any IP, so a malicious user could register a domain "blablabla.com" pointing to and this would bypass "register.deny" security.


>Comment By: Henning Westerholt (henningw)
Date: 2008-07-07 11:43

Logged In: YES 
Originator: NO

Hi Iaki,

AFAIK resolve 1.2.0003.4 and not to the same name, at least on my
With regards to the recommendation, do you've a better suggestion?




You can respond by visiting: 

More information about the Devel mailing list