[OpenSER-Users] Security hole in REGISTER's Contact using domain
    klaus.mailinglists at pernau.at 
    klaus.mailinglists at pernau.at
       
    Fri Dec 14 12:18:31 CET 2007
    
    
  
> Neill Wilkinson writes:
>
>  > Surely just authenticate all register requests with www-challenge. Hide
> your
>  > gateway and SER behind a firewall so your Gateway cannot be seen from
> the
>  > outside work (from a SIP Signalling perspective), and for PSTN calls
> from
>  > authenticated users do a rewritehost and forward to send the INVITEs on
> to
>  > the PSTN gateway?
>  >
>  > Neill....;o)
>
> perhaps you didn't understand the problem.  authenticating register
> requests is not enough.  you also need to check what user puts in
> contact(s), since you cannot hide your gws from your proxies.
btw: IMO this is a bug in SIP. The RFC tells us that the SIP proxy should
store the Contact URI and route calls based in this URI. But AFAIK the RFC
does not tell us to validate the Contact URI.
Never trust user provided data blindly. The Contact is user provided :-(
regards
klaus
    
    
More information about the Users
mailing list