[OpenSER-Devel] [ openser-Bugs-1850882 ] [permissions] bug in default "register.deny"

SourceForge.net noreply at sourceforge.net
Tue Jul 8 15:00:21 CEST 2008

Bugs item #1850882, was opened at 2007-12-14 16:26
Message generated for change (Comment added) made by henningw
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Iaki Baz (ibc_sf)
Assigned to: Henning Westerholt (henningw)
Summary: [permissions] bug in default "register.deny"

Initial Comment:
Hi, the file "register.deny" included in:

puts as example a gw with IP and a regular expresion:

  ALL : "^sip:.*1\.2\.3\.4$"

This is obviosly vulnerable because a malicious user could send a REGISTER with:

  Contact: <sip:PSTN_number at 1.2.0003.4>

And IP 1.2.0003.4 is the same as but wouldn't be matched by regular expression.

Because that I propose to set:

  ALL : "^sip:.*0*1\.0*2\.0*3\.0*4$"

to avoid any number of 0's.

And other thing, the phrase:
# (Don't forget to list also all hostnames that can
# be used to reach the PSTN gateway)

This is a false security recommendation since anyone can register a public domain pointing to any IP, so a malicious user could register a domain "blablabla.com" pointing to and this would bypass "register.deny" security.


>Comment By: Henning Westerholt (henningw)
Date: 2008-07-08 13:00

Logged In: YES 
Originator: NO

Hi Inaki,

correct, ping is more relaxed in this regards. I've added some notes about
the security implications to the file. Please review and re-open when you
still see issues.



Comment By: Iaki Baz (ibc_sf)
Date: 2008-07-08 07:41

Logged In: YES 
Originator: YES

Hi, take a look to this example:

~$ host domain name pointer rc1.vip.ukl.yahoo.com.

~$ host has address
Host not found: 3(NXDOMAIN)
Host not found: 3(NXDOMAIN)

~$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=245 time=69.5 ms
64 bytes from icmp_seq=2 ttl=245 time=67.2 ms

About my suggestion I just can point you the discussion it was in
OpenSer-users maillist about it some time ago:

The conclusion was simple: The only and reliable solution to avoid
fraudulent registrations (faked "Contact") is the use of blacklists, as
Klaus suggested:

There is another way by using "register.deny" but avoiding registration
with a hostname/domain in the "Contact" as Juha suggested:

But IMHO using "register.deny" (including there IP's but allowing
hostnames/domains) is compeltely a securuty lack.

Balcklists work perfectly for me.


Comment By: Henning Westerholt (henningw)
Date: 2008-07-07 11:43

Logged In: YES 
Originator: NO

Hi Iaki,

AFAIK resolve 1.2.0003.4 and not to the same name, at least on my
With regards to the recommendation, do you've a better suggestion?




You can respond by visiting: 

More information about the Devel mailing list