[OpenSER-Users] Security hole in REGISTER's Contact using domain
Iñaki Baz Castillo
ibc at in.ilimit.es
Fri Dec 14 10:41:29 CET 2007
El Friday 14 December 2007 09:59:36 Iñaki Baz Castillo escribió:
> El Friday 14 December 2007 07:02:37 Juha Heinanen escribió:
> > Iñaki Baz Castillo writes:
> > > How to handle it? is it not a real security hole?
> >
> > 1) buy pstn gws that accept no hostnames (just its own ip address) in
> > the hostpart of r-uri. example, cisco ios with later software
> > releases.
I've tryed this with Asterisk as GW. It works by adding:
sip.conf:
-------------
allowexternaldomains=no
domain=85.95.0.111
-------------
And in OpenSer:
register.deny:
-------------
ALL : "^sip:.*0*85\.0*95\.0*0\.0*111"
-------------
Anyway, do really people take care about it?
Regards.
--
Iñaki Baz Castillo
ibc at in.ilimit.es
More information about the sr-users
mailing list