-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Even there.. how to deny it with openser! Cirpack can do it, for example if I put another a contact name different of my auth name, it replies an error! It prevents another person to receive your calls!! Look, you have in From and Contact header the user 105 but my user is the 106 user > # > U 82.127.0.79:1045 -> 88.191.45.91:5060 > REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0. > Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420. > To: <sip:105@sd-7501.dedibox.fr:5060;user=phone>. > Call-ID: 29eb6e9-c0a80101-5-17(a)192.168.95.70. > CSeq: 90 REGISTER. > Max-Forwards: 70. > Expires: 3600. > Contact: <sip:105@82.127.0.79:1046;user=phone>. > User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4. > Allow-Events: refer,dialog,message-summary,check-sync,talk,hold. > Content-Length: 0. Carsten Bock a écrit : > Hi Marc, > > The problem is not the contact, but the From-Header. The From-Header > contains the username, which registers. The Contact Header (according to > RFC 3261) must be a valid URI, that's all (e.g. some CPE's put > sip:<ip-address>:line=xyz in contact). > > Carsten > > Am Donnerstag, den 06.09.2007, 12:01 +0200 schrieb Marc LEURENT: > I have a security matter with my configuration (default one), it's possible to register using login/password and to set anything in the contact field. > So if you have an account 106/password, it's possible to be 105 in the location database! > > How is it possible to deny that kind of matter..? Thanks > > Is it useful to use: method_filtering of the REGISTRAR module > Or is it better to so something whith the values below and a compare function?? > $ct - reference to body of contact header > $ar - realm from Authorization or Proxy-Authorization header > $au - username from Authorization or Proxy-Authorization header > > if ($ct != $au@$ar) { > sl_send_reply("403", "User and login must be the same"); > }; > > Best Regards, > > Marc LEURENT > > > # > U 82.127.0.79:1045 -> 88.191.45.91:5060 > REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0. > Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420. > To: <sip:105@sd-7501.dedibox.fr:5060;user=phone>. > Call-ID: 29eb6e9-c0a80101-5-17(a)192.168.95.70. > CSeq: 90 REGISTER. > Max-Forwards: 70. > Expires: 3600. > Contact: <sip:105@82.127.0.79:1046;user=phone>. > User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4. > Allow-Events: refer,dialog,message-summary,check-sync,talk,hold. > Content-Length: 0. > . > > > AOR:: 105 > Contact:: sip:105@82.127.0.79:1046;user=phone Q= > Expires:: 194 > Callid:: 29eb6e9-c0a80101-5-17(a)192.168.95.70 > Cseq:: 92 > User-agent:: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4 > Received:: sip:82.127.0.79:1045 > State:: CS_SYNC > Flags:: 0 > Cflag:: 192 > Socket:: udp:88.191.45.91:5060 > Methods:: 4294967295 > >> _______________________________________________ Users mailing list Users(a)openser.org http://openser.org/cgi-bin/mailman/listinfo/users

This is an old problem - often called registration hijacking.

After authentication, use check_to() for REGISTER and check_from() for all other SIP requests. regards klaus Marc LEURENT schrieb: _______________________________________________ Users mailing list Users(a)openser.org http://openser.org/cgi-bin/mailman/listinfo/users

On 09/06/07 15:40, Christian Schlatter wrote: indeed, to make everybody happy, the solution is provided by uri_db/check_from(), as stated in this thread. By that, any user can set a list of other users that can do registrations in its behalf, that's uri table for. Daniel > > /Christian > > >> >> After authentication, use check_to() for REGISTER and check_from() >> for all other SIP requests. >> >> regards >> klaus >> >> Marc LEURENT schrieb: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> I have a security matter with my configuration (default one), it's >>> possible to register using login/password and to set anything in >>> the contact field. >>> So if you have an account 106/password, it's possible to be 105 in >>> the location database! >>> >>> How is it possible to deny that kind of matter..? Thanks >>> >>> Is it useful to use: method_filtering of the REGISTRAR module >>> Or is it better to so something whith the values below and a >>> compare function?? >>> $ct - reference to body of contact header >>> $ar - realm from Authorization or Proxy-Authorization header >>> $au - username from Authorization or Proxy-Authorization header >>> >>> if ($ct != $au@$ar) { >>> sl_send_reply("403", "User and login must be the same"); >>> }; >>> >>> Best Regards, >>> >>> Marc LEURENT >>>