[OpenSER-Users] Security hole in REGISTER's Contact using domain

Juha Heinanen jh at tutpro.com
Fri Dec 14 07:02:37 CET 2007


Iñaki Baz Castillo writes:

 > How to handle it? is it not a real security hole?

1) buy pstn gws that accept no hostnames (just its own ip address) in
  the hostpart of r-uri.  example, cisco ios with later software
  releases.

2) forget the hostpart check all together and instead check the
   userpart, where you have put something special that the gw then
   removes.

-- juha




More information about the Users mailing list