[Serusers] hijack another account
kcassidy at kakelma.mine.nu
kcassidy at kakelma.mine.nu
Thu Dec 2 14:39:23 CET 2004
Hi Java,
This only checks the REGISTER method. I think we need something to
check the URI in the INVITE method whether it's fake or not. Just my 2
cents.
P.S. I'm not a SIP expert :)
On Thu, 2 Dec 2004, Java Rockx wrote:
> I think you can use something like this to make sure digest credentials are valid.
>
> if (method=="REGISTER") {
>
> if (!www_authorize("", "subscriber")) {
>
> www_challenge("", "0");
> break;
> };
>
> if (!check_to()) {
>
> sl_send_reply("401", "Unauthorized");
> break;
> };
>
> save();
> }
>
> --- kcassidy at kakelma.mine.nu wrote:
>
> > Hi All,
> >
> > I found an interesting problem. Set up is using xlite, SER 0.8.12 with
> > digest authentication enabled. I just realized that after I get
> > registered with account A. Then change the "username" (keep authorization
> > user to A) in Xlite to someone's SIP account (B). I can make calls using
> > B's credits while registration I'm using is still A's. Is there a way to
> > fix this?
> >
> > In xlite you have parameters:
> >
> > Username: (use for actual call, pass on to GW (e.g. pstn)
> > Authorization User: (use for registration)
> > Password: (use for registration)
> >
> > _______________________________________________
> > Serusers mailing list
> > serusers at lists.iptel.org
> > http://lists.iptel.org/mailman/listinfo/serusers
> >
>
>
>
>
> __________________________________
> Do you Yahoo!?
> All your favorites on one personal page – Try My Yahoo!
> http://my.yahoo.com
>
More information about the sr-users
mailing list