[OpenSER-Devel] [ openser-Bugs-1850882 ] [permissions] bug in default "register.deny"

SourceForge.net noreply at sourceforge.net
Mon Jul 7 13:43:56 CEST 2008 

Bugs item #1850882, was opened at 2007-12-14 16:26
Message generated for change (Comment added) made by henningw
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1850882&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Iaki Baz (ibc_sf)
>Assigned to: Henning Westerholt (henningw)
Summary: [permissions] bug in default "register.deny"

Initial Comment:
Hi, the file "register.deny" included in:
  http://openser.svn.sourceforge.net/viewvc/openser/trunk/modules/permissions/config/register.deny?view=markup

puts as example a gw with IP 1.2.3.4 and a regular expresion:

  ALL : "^sip:.*1\.2\.3\.4$"

This is obviosly vulnerable because a malicious user could send a REGISTER with:

  Contact: <sip:PSTN_number at 1.2.0003.4>

And IP 1.2.0003.4 is the same as 1.2.3.4 but wouldn't be matched by regular expression.

Because that I propose to set:

  ALL : "^sip:.*0*1\.0*2\.0*3\.0*4$"

to avoid any number of 0's.


And other thing, the phrase:
# (Don't forget to list also all hostnames that can
# be used to reach the PSTN gateway)

This is a false security recommendation since anyone can register a public domain pointing to any IP, so a malicious user could register a domain "blablabla.com" pointing to 1.2.3.4 and this would bypass "register.deny" security.

----------------------------------------------------------------------

>Comment By: Henning Westerholt (henningw)
Date: 2008-07-07 11:43

Message:
Logged In: YES 
user_id=337916
Originator: NO

Hi Iaki,

AFAIK resolve 1.2.0003.4 and 1.2.3.4 not to the same name, at least on my
machine.
With regards to the recommendation, do you've a better suggestion?

Cheers,

Henning

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1850882&group_id=139143

More information about the Devel mailing list