[Users] User Registration Security on Openser

Howard Tang howard615 at gmail.com
Thu Jan 18 02:41:37 CET 2007


Hi Christian,

Thank you for point that out. I found that the person is one of my
users, but he put username in x-lite different from the auth username.
That is why i see a different number. and your solution fixed the
issue!

Thanks a lot.

Regards,
Howard

On 1/18/07, Christian Schlatter <cs at unc.edu> wrote:
> Howard Tang wrote:
> > Hi,
> >
> > I realized some one is able to make call and registered to my sip
> > proxy while he/she is not in the subscriber table.
> >
> > I couldn't find his/her username in the subscriber table, but i was
> > able to see him/her in the location table. I am able to see he/she
> > made 10 calls from my sip proxy.
> >
> > Anyone have an idea on what i have done wrong? I have included the
> > authentication part of code here.
>
> Your config looks ok to me but it will allow someone with a valid digest
> username/password combination to register *any* AOR SIP URI. One method
> to avoid that is to use check_to() from the uri_db module.
>
> Similarly you can use check_from() to make sure that endpoints use a SIP
>  From header that exists in the subscriber table.
>
> SIP digest credentials are independent from the used SIP URIs allowing
> e.g. third party registration. That means I could add a registration for
> your AOR SIP URI. But obviously this also introduces a risk for misuse.
>
> I've added check_to() and check_from() to your config.
>
> - Christian
>
> # -- uri_db params --
> modparam("uri_db", "db_url",
> "mysql://M4_DB_RWUSER:M4_DB_RWPWD@localhost/M4_DB_NAME")
> modparam("uri_db", "subscriber_table", "subscriber")
> modparam("uri_db", "use_uri_table", 0) # use subscriber table
> modparam("uri_db", "use_domain", 0) # only check username (no multi
>                                      # domain support)
>
>
> >
> >     if (uri==myself) {
> >                if (method=="REGISTER") {
> >                        # Uncomment this if you want to use digest
> > authentication
> >                        if (!www_authorize("x.x.x.x", "subscriber")) {
> >                                www_challenge("x.x.x.x", "0");
> >                                exit;
> >                        };
>
>                           if (!check_to()) {
>                                   sl_send_reply("401", "Unauthorized");
>                                   exit;
>                           }
>
>
> >                        consume_credentials();
> >                        save("location");
> >                        exit;
> >                };
> >
> >                if (method=="INVITE") {
> >                        if (!proxy_authorize("","subscriber")) {
> >                                proxy_challenge("x.x.x.x","0");
> >                                exit;
> >                        }
>
>                           if (!check_from()) {
>                                   sl_send_reply("403", "Use From=ID");
>                                   exit;
>                           }
>
> >                        consume_credentials();
> >                };
> >
> >                lookup("aliases");
> >                if (!uri==myself) {
> >                        append_hf("P-hint: outbound alias\r\n");
> >                        route(1);
> >                };
> >
> >
>
>


-- 
Howard Tang
ICQ : 259083
MSN : howard615 at hotmail.com




More information about the sr-users mailing list