Please look at the onsip.org example scripts for how to use check_from() to prevent this. g-)
Paul PREVOT wrote:
Nobody is able to answer me? Is it impossible to ensure security with ser or openser? Do I have to modify www_authorize()?
Regards, Paul
-----Message d'origine----- De : serusers-bounces@lists.iptel.org [mailto:serusers-bounces@lists.iptel.org] De la part de Paul PREVOT Envoyé : mardi 4 juillet 2006 11:06 À : serusers@iptel.org Objet : [Serusers] DB logging issue
Hi all,
I am using the following code to log calls in DB:
modparam("acc ", "db_url", "mysql://openser:openserrw@localhost/openser") modparam("acc", "log_level", 1) #modparam("acc", "log_flag", 1) modparam("acc", "db_flag", 3)
... if (method=="INVITE") { if (!www_authorize("mydomain.org", "subscriber")) { www_challenge("mydomain.org", "0"); return; }; setflag(3); };
In the following situation:
Username : sip:tutu@mydomain.org Login : toto Pw : toto
This client would be able to handle the challenge as he has a valid login and pw, but openser will log tutu in DB as caller!!!!
In this situation I'd like either to log correctly in DB or to reject the call and ask user to setup his sip client properly.
Have you already experienced this issue? Do you have any idea how to fix it? How can I check if username is really equals to login used for authentication?
Regards, Paul
Serusers mailing list Serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list Serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers