[Users] User Registration Security on Openser

Christian Schlatter cs at unc.edu
Thu Jan 18 02:33:18 CET 2007 

Howard Tang wrote:
> Hi,
> 
> I realized some one is able to make call and registered to my sip
> proxy while he/she is not in the subscriber table.
> 
> I couldn't find his/her username in the subscriber table, but i was
> able to see him/her in the location table. I am able to see he/she
> made 10 calls from my sip proxy.
> 
> Anyone have an idea on what i have done wrong? I have included the
> authentication part of code here.

Your config looks ok to me but it will allow someone with a valid digest 
username/password combination to register *any* AOR SIP URI. One method 
to avoid that is to use check_to() from the uri_db module.

Similarly you can use check_from() to make sure that endpoints use a SIP 
 From header that exists in the subscriber table.

SIP digest credentials are independent from the used SIP URIs allowing 
e.g. third party registration. That means I could add a registration for 
your AOR SIP URI. But obviously this also introduces a risk for misuse.

I've added check_to() and check_from() to your config.

- Christian

# -- uri_db params --
modparam("uri_db", "db_url", 
"mysql://M4_DB_RWUSER:M4_DB_RWPWD@localhost/M4_DB_NAME")
modparam("uri_db", "subscriber_table", "subscriber")
modparam("uri_db", "use_uri_table", 0) # use subscriber table
modparam("uri_db", "use_domain", 0) # only check username (no multi
                                     # domain support)


> 
>     if (uri==myself) {
>                if (method=="REGISTER") {
>                        # Uncomment this if you want to use digest
> authentication
>                        if (!www_authorize("x.x.x.x", "subscriber")) {
>                                www_challenge("x.x.x.x", "0");
>                                exit;
>                        };

                          if (!check_to()) {
                                  sl_send_reply("401", "Unauthorized");
                                  exit;
                          }


>                        consume_credentials();
>                        save("location");
>                        exit;
>                };
> 
>                if (method=="INVITE") {
>                        if (!proxy_authorize("","subscriber")) {
>                                proxy_challenge("x.x.x.x","0");
>                                exit;
>                        }

                          if (!check_from()) {
                                  sl_send_reply("403", "Use From=ID");
                                  exit;
                          }

>                        consume_credentials();
>                };
> 
>                lookup("aliases");
>                if (!uri==myself) {
>                        append_hf("P-hint: outbound alias\r\n");
>                        route(1);
>                };
> 
>

More information about the Users mailing list