[Serusers] hijack another account
Java Rockx
javarockx at yahoo.com
Thu Dec 2 14:58:28 CET 2004
you can use proxy_authorize() for that -- i think.
--- kcassidy at kakelma.mine.nu wrote:
> Hi Java,
>
> This only checks the REGISTER method. I think we need something to
> check the URI in the INVITE method whether it's fake or not. Just my 2
> cents.
>
> P.S. I'm not a SIP expert :)
>
>
> On Thu, 2 Dec 2004, Java Rockx wrote:
>
> > I think you can use something like this to make sure digest credentials are valid.
> >
> > if (method=="REGISTER") {
> >
> > if (!www_authorize("", "subscriber")) {
> >
>
> > www_challenge("", "0");
> > break;
> > };
> >
> > if (!check_to()) {
> >
>
> > sl_send_reply("401", "Unauthorized");
> > break;
> > };
> >
> > save();
> > }
> >
> > --- kcassidy at kakelma.mine.nu wrote:
> >
> > > Hi All,
> > >
> > > I found an interesting problem. Set up is using xlite, SER 0.8.12 with
> > > digest authentication enabled. I just realized that after I get
> > > registered with account A. Then change the "username" (keep authorization
> > > user to A) in Xlite to someone's SIP account (B). I can make calls using
> > > B's credits while registration I'm using is still A's. Is there a way to
> > > fix this?
> > >
> > > In xlite you have parameters:
> > >
> > > Username: (use for actual call, pass on to GW (e.g. pstn)
> > > Authorization User: (use for registration)
> > > Password: (use for registration)
> > >
> > > _______________________________________________
> > > Serusers mailing list
> > > serusers at lists.iptel.org
> > > http://lists.iptel.org/mailman/listinfo/serusers
> > >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > All your favorites on one personal page – Try My Yahoo!
> > http://my.yahoo.com
> >
>
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
More information about the sr-users
mailing list