[OpenSER-Users] my small security breach REGISTER

Marcello Lupo mlist at itspecialist.it
Fri Sep 7 12:37:01 CEST 2007


Hi,
sorry but what matter the content in Contact header, admitting that it 
is a valid URI??
The CPE can be behind nat and do not have the same parameters of the 
registration to be reached.
I think the problem is to ensure that the From and To that form the AOR 
that the client is about to register is allowed
for that client.
In my config i have multiple numbers that can be assigned to a single 
CPE and i use AVP to check that username used is
allowed to register that AOR.
If i'm not wrong the contact is posted in the INVITE after the lookup of 
the AOR on the proxy, so you cannot receive
calls of some one else if you check the authentication correspond to AOR 
enabled to register with that authentication.
Another issue is that some crap phones put URI not valid in the contact 
like:


http://x.x.x.x
https:/x.x.x.x

Or something like this.
There is a way to check the validity of the URI before allow the 
registration??

Thanks,
Bye,
Marcello


Daniel-Constantin Mierla wrote:
>
>
> On 09/06/07 15:40, Christian Schlatter wrote:
>> Klaus Darilion wrote:
>>> This is an old problem - often called registration hijacking.
>>
>> Some call it a feature: 3rd party registration ;-)
> indeed, to make everybody happy, the solution is provided by 
> uri_db/check_from(), as stated in this thread. By that, any user can 
> set a list of other users that can do registrations in its behalf, 
> that's uri table for.
>
> Daniel
>
>>
>> /Christian
>>
>>
>>>
>>> After authentication, use check_to() for REGISTER and check_from() 
>>> for all other SIP requests.
>>>
>>> regards
>>> klaus
>>>
>>> Marc LEURENT schrieb:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> I have a security matter with my configuration (default one), it's 
>>>> possible to register using login/password and to set anything in 
>>>> the contact field.
>>>> So if you have an account 106/password, it's possible to be 105 in 
>>>> the location database!
>>>>
>>>> How is it possible to deny that kind of matter..? Thanks
>>>>
>>>> Is it useful to use: method_filtering of the REGISTRAR module
>>>> Or is it better to so something whith the values below and a 
>>>> compare function??
>>>> $ct - reference to body of contact header
>>>> $ar - realm from Authorization or Proxy-Authorization header
>>>> $au - username from Authorization or Proxy-Authorization header
>>>>
>>>> if ($ct != $au@$ar) {
>>>>     sl_send_reply("403", "User and login must be the same");
>>>> };
>>>>
>>>> Best Regards,
>>>>
>>>> Marc LEURENT
>>>>





More information about the sr-users mailing list