[Serusers] maybe it's a weak of SER auth
Jan Janak
jan at iptel.org
Tue Feb 10 16:55:27 CET 2004
You can compare the username in To/From and the username in digest
credentials and refuse the message if they differ. See check_from and
check_to functions in uri module.
Jan.
On 10-02 11:09, wangji wrote:
> Hi all,
> My SER server use mysql for auth. These days I find a question.
> If an user have a accounts in mysql datebase of SER server, he can avoid system accounting.
> For a example, an user have ID: 123456 and he has the password.
> When he make a call, he send INVTE like this(just a sample):
> INVITE: sip:111111 at iptel.org:5060 SIP/2.0
> From: "654321"<sip:654321 at iptel.org>;tag=xxxxxxx
> To: <sip:111111 at iptel.org>
> ............
> The Ser server reply 407 (authentication request)
> Then user reply: ack and send INVITE with authentication like
> INVITE: sip:111111 at iptel.org:5060 SIP/2.0
> From: "654321"<sip:654321 at iptel.org>;tag=xxxxxxx
> To: <sip:111111 at iptel.org>
> Proxy-Authorization: Digest username="123456", realm="iptel.org",nonce="....",uri="123456 at iptel.org",reponse="............"
> (or Proxy-Authorization: Digest username="123456", realm="iptel.org",nonce="....",uri="333333 at iptel.org",reponse="............" )
> ............
> Then the user pass the authentication using his ID, and he make call using other ID
>
> When register to Ser server, he can use same way to help 401 auth.
>
> I try it on my Ser server and it passed! How to avoid it?
>
>
> Jimmy
> 2/9/04
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
More information about the sr-users
mailing list