[OpenSER-Users] Security hole in REGISTER's Contact using domain
    Iñaki Baz Castillo 
    ibc at in.ilimit.es
       
    Fri Dec 14 09:59:36 CET 2007
    
    
  
El Friday 14 December 2007 07:02:37 Juha Heinanen escribió:
> Iñaki Baz Castillo writes:
>  > How to handle it? is it not a real security hole?
>
> 1) buy pstn gws that accept no hostnames (just its own ip address) in
>   the hostpart of r-uri.  example, cisco ios with later software
>   releases.
So really isn't there solution just in OpenSer-Registrar side??
> 2) forget the hostpart check all together and instead check the
>    userpart, where you have put something special that the gw then
>    removes.
So you mean for example:
register.deny:
--------------------
  ALL : "^sip:.*secret_word_.*@"
----------------------
And later, in any call to PSTN OpenSer should add:
  $ru = "secret_word_" + $ru;
so the uri arriving to the gw becomes:
  sip:secret_word_01666555444 at gw_ip_or_hostname
And the gw should just allow calls from OpenSer with urri username beginning 
with  "secret_word_" and it should strip it.
Is this what you mean? anyway, a little complex, isn't it?  XDD
Regards.
-- 
Iñaki Baz Castillo
ibc at in.ilimit.es
    
    
More information about the Users
mailing list