[SR-Users] Why is the To URI the default in save()?

[Daniel Tryba]

The save function from the registrar module uses the To header to disect
and store the username for the location table according to observations
and documentation
http://www.kamailio.org/docs/modules/stable/modules/registrar.html#registrar.f.save

After troubleshooting a ticket from an enduser unable to receive calls
where all looked fine but the username used for authentication wasn't
showing up in the location database. Finally I found the REGISTER was
added to the location database, but not with the user its username,
instead it was using the username (phonenumber) specified in the To
header. Till now I always assumed that the username in the location
table would be the username used during authentication(*).

This opens the door to hijacking incoming calls to other users on the
same kamailio registrar if one knows/guesses other usernames and use
those in the To header. This realisation is kind of shocking to me.

The solution is simple (if authentication is required):
save("location", "0x00", "sip:$au@$rd");


*: which kind of answers my question in the subject, what else can be
used if there is no authentication required?