From wiquan@employees.org Wed Oct 17 18:05:11 2007
From: William Quan <wiquan@employees.org>
To: sr-users@lists.kamailio.org
Subject: [OpenSER-Users] sanitizing sip requests
Date: Wed, 17 Oct 2007 11:13:38 -0500
Message-ID: <471634B2.10408@employees.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0368600163=="

--===============0368600163==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi all,
I came across a security alert that basically embeds javascript in the
display name of the From to initiate cross-site-scripting (XSS) attacks.
Here is an example:

From: "<script>alert('hack')</script>""user"
<sip:user at domain.com <https://lists.grok.org.uk/mailman/listinfo/full-disc=
losure>>;tag=3D002a000c


Grammatically , I don't see an issue with this. However, under the right
circumstances this could get ugly.
Do you see value in having openser take a proactive role to detect these
and reject calls?  Or is this outside the scope of what a proxy should
be doing (leave it to the UA to sanitize) ?

Looking to get your thoughts-
-will


--===============0368600163==--