[Serusers] maybe it's a weak of SER auth

[wangji]

Hi all,
      My SER server use mysql for auth. These days I find a question.
      If an user have a accounts in mysql datebase of SER server, he can avoid system accounting.
For a example, an user have ID: 123456 and he has the password.
When he make a call, he send INVTE like this(just a sample):
       INVITE: sip:111111 at iptel.org:5060 SIP/2.0
      From: "654321"<sip:654321 at iptel.org>;tag=xxxxxxx
      To: <sip:111111 at iptel.org>
      ............
The Ser server reply 407 (authentication request)
Then user reply: ack and send INVITE with authentication like
       INVITE: sip:111111 at iptel.org:5060 SIP/2.0
      From: "654321"<sip:654321 at iptel.org>;tag=xxxxxxx
      To: <sip:111111 at iptel.org>
     Proxy-Authorization: Digest username="123456", realm="iptel.org",nonce="....",uri="123456 at iptel.org",reponse="............"
(or     Proxy-Authorization: Digest username="123456", realm="iptel.org",nonce="....",uri="333333 at iptel.org",reponse="............" )
      ............
Then the user pass the authentication using his ID, and he make call using other ID

When register to Ser server, he can use same way to help 401 auth.

I try it on my Ser server and it passed! How to avoid it?


Jimmy
2/9/04