Re: [Serusers] maybe it's a weak of SER auth

Hi all, My SER server use mysql for auth. These days I find a question. If an user have a accounts in mysql datebase of SER server, he can avoid system accounting. For a example, an user have ID: 123456 and he has the password. When he make a call, he send INVTE like this(just a sample): INVITE: sip:111111@iptel.org:5060 SIP/2.0 From: "654321"<sip:654321@iptel.org>;tag=xxxxxxx To: <sip:111111@iptel.org> ............ The Ser server reply 407 (authentication request) Then user reply: ack and send INVITE with authentication like INVITE: sip:111111@iptel.org:5060 SIP/2.0 From: "654321"<sip:654321@iptel.org>;tag=xxxxxxx To: <sip:111111@iptel.org> Proxy-Authorization: Digest username="123456", realm="iptel.org",nonce="....",uri="123456@iptel.org",reponse="............" (or Proxy-Authorization: Digest username="123456", realm="iptel.org",nonce="....",uri="333333@iptel.org",reponse="............" ) ............ Then the user pass the authentication using his ID, and he make call using other ID When register to Ser server, he can use same way to help 401 auth. I try it on my Ser server and it passed! How to avoid it? Jimmy 2/9/04 _______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers