[Serusers] maybe it's a weak of SER auth

[Jan Janak]

You can compare the username in To/From and the username in digest
credentials and refuse the message if they differ. See check_from and
check_to functions in uri module.

  Jan.

On 10-02 11:09, wangji wrote:
> Hi all,
>       My SER server use mysql for auth. These days I find a question.
>       If an user have a accounts in mysql datebase of SER server, he can avoid system accounting.
> For a example, an user have ID: 123456 and he has the password.
> When he make a call, he send INVTE like this(just a sample):
>        INVITE: sip:111111 at iptel.org:5060 SIP/2.0
>       From: "654321"<sip:654321 at iptel.org>;tag=xxxxxxx
>       To: <sip:111111 at iptel.org>
>       ............
> The Ser server reply 407 (authentication request)
> Then user reply: ack and send INVITE with authentication like
>        INVITE: sip:111111 at iptel.org:5060 SIP/2.0
>       From: "654321"<sip:654321 at iptel.org>;tag=xxxxxxx
>       To: <sip:111111 at iptel.org>
>      Proxy-Authorization: Digest username="123456", realm="iptel.org",nonce="....",uri="123456 at iptel.org",reponse="............"
> (or     Proxy-Authorization: Digest username="123456", realm="iptel.org",nonce="....",uri="333333 at iptel.org",reponse="............" )
>       ............
> Then the user pass the authentication using his ID, and he make call using other ID
> 
> When register to Ser server, he can use same way to help 401 auth.
> 
> I try it on my Ser server and it passed! How to avoid it?
> 
> 
> Jimmy
> 2/9/04
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers