[Serusers] hijack another account

Jan Janak jan at iptel.org
Fri Dec 3 22:10:17 CET 2004


In REGISTER messages you have to check To because this is the header
field that contain the SIP URI being registered. The correct way is to
first call www_authorize and then check_to, which would verify if the
usernames in To and digest credentials are the same.

For INVITE messages, call proxy_authorize and then check_from to verify
if the usernames in From header field and digest credentials are the
same. That would prevent people from hijacking identity of someone else.

   Jan.

On 02-12 16:37, Andreas Granig wrote:
> kcassidy at kakelma.mine.nu wrote:
> >  But we can still hijack someone who is registered right?  
> 
> Don't think so. If you use A's authorization credentials and B's 
> username (which is inserted into From, isn't it?), then the INVITE would 
> pass the proxy_authorization(), but will fail to satisfy check_from() 
> which checks AFAIR the From-user against the username in credentials.
> 
> The same applies to REGISTERs, if you check_to() after successfully 
> passing www_authorize().
> 
> Don't know about check_xxx() and Radius, we don't use Radius here.
> 
> Andy
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers




More information about the sr-users mailing list