[Serusers] From/To vunerability

Sat Dec 11 17:01:04 CET 2004

Yes, you are absolutely right! I realised later that it isn't that simple to 
parse addresses.

However, it occurred to me that I have the wrong approach - I guess that in 
most cases,
a person will hardly want to fake their address so that you will actually 
try and authenticate
them! I couldn't think of any reason why making ser think a message is from 
our domain
(especially when you would then go and challenge them) is to someone's 
advantage.

More likely the opposite is the case. A sender might want to claim to be in 
our domain
but have SER miss that fact. Is SIP spam a problem yet?!
So the code:

# if sender claims to be in our domain in From header field....
if (search("(f|From): .*@mydomain.com)) {
    if (!proxy_auth.....

should be ok! Sorry, I've done a lot of QA work, I try and find holes in 
everything :-)

However it is true that finding a full email address within a header can be 
harder than
it seems at first glance. RFC822 allows all sorts of ugly things like:

   < eli(Elijah)@netusa(not associated with usa.net).net >

( Taken from http://www.faqs.org/faqs/mail/addressing/ which is quite 
interesting. There
   are much scarier examples there too.
   Serusers pipermail list will probably play with the above btw.  )

I do not yet know if SIP allows addresses in this particular form.  I will 
look it up. But if so,
then some extra functions might be needed in, say, textops module to do 
matching.
You cannot (easily?) match full rfc822 addresses with a regexp...

All this is probably just "interesting", rather than being of practical 
concern :-)

Conor.

>From: Nils Ohlmeier
>Subject: Re: [Serusers] From/To vunerability
>
>Hi Conor,
>
>see inline
>
>On Friday 10 December 2004 17:49, Bob Cat wrote:
> > I've noticed most scripts checking from and to parts are somewhat 
>flawed.
> > Eg:
> >
> > # if sender claims to be in our domain in From header field....
> > if (search("(f|From): .*@mydomain.com)) {
> >    ....
> > };
> >
> > Looks ok right? Not really - I'll explain why.
> >
> > I wanted my REGISTER request's host part to match my realm exactly to
> > avoid uri==myself matching and then the above example not
> > matching. A user could register @sipserver.mydomain.com and it would be
> > accepted. They'd be from our domain but without a check. So I did this:
> >
> > if (method=="REGISTER") {
> >     if (search("^To: .*@mydomain.com"))
> >     {  authenticate }
> >     else { no thanks }
> >
> > But, this can be spoofed by setting a name (eg in kphone) with a domain
> > part.
> > The To part of the sip register message will then look like this:
> >
> > To: "Hello @mydomain.com" <sip:2001 at sipserver.mydomain.com>
> >
> > And it will match. Bummer. Use check_to (I hope the parsing of this 
>field
> > is accurate,
> > I might take a look at the source!), or use a regexp like:
> >
> > search("^To: .*sip:[^@]+ at mydomain.com");
> >
> > Hope that does it.
>
>To: "regexp fake sip:foobar at mydomain" <sip:2001 at sipserver.mydomain.com>
>
>Just my 2 cents :-)
>
>Greetings
>   Nils

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.com/