[Serusers] hijack another account

Andreas Granig a.granig at inode.at
Thu Dec 2 16:37:46 CET 2004


kcassidy at kakelma.mine.nu wrote:
>   But we can still hijack someone who is registered right?  

Don't think so. If you use A's authorization credentials and B's 
username (which is inserted into From, isn't it?), then the INVITE would 
pass the proxy_authorization(), but will fail to satisfy check_from() 
which checks AFAIR the From-user against the username in credentials.

The same applies to REGISTERs, if you check_to() after successfully 
passing www_authorize().

Don't know about check_xxx() and Radius, we don't use Radius here.

Andy




More information about the sr-users mailing list