[Serusers] hijack another account
Java Rockx
javarockx at yahoo.com
Thu Dec 2 14:34:59 CET 2004
I think you can use something like this to make sure digest credentials are valid.
if (method=="REGISTER") {
if (!www_authorize("", "subscriber")) {
www_challenge("", "0");
break;
};
if (!check_to()) {
sl_send_reply("401", "Unauthorized");
break;
};
save();
}
--- kcassidy at kakelma.mine.nu wrote:
> Hi All,
>
> I found an interesting problem. Set up is using xlite, SER 0.8.12 with
> digest authentication enabled. I just realized that after I get
> registered with account A. Then change the "username" (keep authorization
> user to A) in Xlite to someone's SIP account (B). I can make calls using
> B's credits while registration I'm using is still A's. Is there a way to
> fix this?
>
> In xlite you have parameters:
>
> Username: (use for actual call, pass on to GW (e.g. pstn)
> Authorization User: (use for registration)
> Password: (use for registration)
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
__________________________________
Do you Yahoo!?
All your favorites on one personal page – Try My Yahoo!
http://my.yahoo.com
More information about the sr-users
mailing list