[Serusers] DB logging issue

[Greger V. Teigre]

Please look at the onsip.org example scripts for how to use check_from() 
to prevent this.
g-)

Paul PREVOT wrote:
> Nobody is able to answer me? Is it impossible to ensure security with ser or
> openser? Do I have to modify www_authorize()?
>
> Regards,
> Paul
>
> -----Message d'origine-----
> De : serusers-bounces at lists.iptel.org
> [mailto:serusers-bounces at lists.iptel.org] De la part de Paul PREVOT
> Envoyé : mardi 4 juillet 2006 11:06
> À : serusers at iptel.org
> Objet : [Serusers] DB logging issue
>
> Hi all,
>
> I am using the following code to log calls in DB:
>
> modparam("acc ", "db_url", "mysql://openser:openserrw@localhost/openser")
> modparam("acc", "log_level", 1)
> #modparam("acc", "log_flag", 1)
> modparam("acc", "db_flag", 3)
>
>
> ...
> if (method=="INVITE") {
>          if (!www_authorize("mydomain.org", "subscriber")) {
>                  www_challenge("mydomain.org", "0");
>                   return;
>          };
>          setflag(3);
> };
>
> In the following situation:
>
> Username : sip:tutu at mydomain.org
> Login : toto
> Pw : toto
>
> This client would be able to handle the challenge as he has a valid login
> and pw, but openser will log tutu in DB as caller!!!!
>
> In this situation I'd like either to log correctly in DB or to reject the
> call and ask user to setup his sip client properly.
>
> Have you already experienced this issue? Do you have any idea how to fix it?
> How can I check if username is really equals to login used for
> authentication?
>
>
> Regards,
> Paul
>
> _______________________________________________
> Serusers mailing list
> Serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
> _______________________________________________
> Serusers mailing list
> Serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
>
>