[Serusers] From/To vunerability
Nils Ohlmeier
nils at iptel.org
Fri Dec 10 23:19:34 CET 2004
Hi Conor,
see inline
On Friday 10 December 2004 17:49, Bob Cat wrote:
> I've noticed most scripts checking from and to parts are somewhat flawed.
> Eg:
>
> # if sender claims to be in our domain in From header field....
> if (search("(f|From): .*@mydomain.com)) {
> ....
> };
>
> Looks ok right? Not really - I'll explain why.
>
> I wanted my REGISTER request's host part to match my realm exactly to
> avoid uri==myself matching and then the above example not
> matching. A user could register @sipserver.mydomain.com and it would be
> accepted. They'd be from our domain but without a check. So I did this:
>
> if (method=="REGISTER") {
> if (search("^To: .*@mydomain.com"))
> { authenticate }
> else { no thanks }
>
> But, this can be spoofed by setting a name (eg in kphone) with a domain
> part.
> The To part of the sip register message will then look like this:
>
> To: "Hello @mydomain.com" <sip:2001 at sipserver.mydomain.com>
>
> And it will match. Bummer. Use check_to (I hope the parsing of this field
> is accurate,
> I might take a look at the source!), or use a regexp like:
>
> search("^To: .*sip:[^@]+ at mydomain.com");
>
> Hope that does it.
To: "regexp fake sip:foobar at mydomain" <sip:2001 at sipserver.mydomain.com>
Just my 2 cents :-)
Greetings
Nils
More information about the sr-users
mailing list