[SR-Users] Why is the To URI the default in save()?
Daniel Tryba
d.tryba at pocos.nl
Tue May 16 14:29:29 CEST 2017
On Mon, May 15, 2017 at 03:06:38PM +0200, Daniel-Constantin Mierla wrote:
> > This opens the door to hijacking incoming calls to other users on the
> > same kamailio registrar if one knows/guesses other usernames and use
> > those in the To header.
> SIP allows third party registrations. From header indicates who performs
> the registration. To header indicates for who is done the registration.
> Auth username is the account/private identity associated with From. All
> these three can be different in SIP. In kamailio, we check that all of
> them are the same via the parameter options of auth_check().
>
> If you give different public and private identities, then you need to
> keep the relation between them and check there is a match, otherwise,
> yes, I have an account on the same service with you, then I can register
> my phone on your behalf. uri_db module is supposed to offer a
> database-based solution, but you can use other modules (e.g., sqlops,
> htable, ...).
Okay, didn't see it as a feature, only as a way to hijack. Never looked
at auth_check, but I'm glad someone thought about this.
> > This realisation is kind of shocking to me.
> Contact IETF guys, Alex pointed the reason in the other email ;-)
I'm over it now :)
Thanks for you and Alex's feedback.
More information about the sr-users
mailing list