[Serusers] From/To vunerability

Bob Cat falling174fps at hotmail.com
Fri Dec 10 17:49:07 CET 2004


I've noticed most scripts checking from and to parts are somewhat flawed.
Eg:

# if sender claims to be in our domain in From header field....
if (search("(f|From): .*@mydomain.com)) {
   ....
};

Looks ok right? Not really - I'll explain why.

I wanted my REGISTER request's host part to match my realm exactly to
avoid uri==myself matching and then the above example not
matching. A user could register @sipserver.mydomain.com and it would be
accepted. They'd be from our domain but without a check. So I did this:

if (method=="REGISTER") {
    if (search("^To: .*@mydomain.com"))
    {  authenticate }
    else { no thanks }

But, this can be spoofed by setting a name (eg in kphone) with a domain 
part.
The To part of the sip register message will then look like this:

To: "Hello @mydomain.com" <sip:2001 at sipserver.mydomain.com>

And it will match. Bummer. Use check_to (I hope the parsing of this field is 
accurate,
I might take a look at the source!), or use a regexp like:

search("^To: .*sip:[^@]+ at mydomain.com");

Hope that does it.

Conor.

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/




More information about the sr-users mailing list