[Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

Kevin P. Fleming kpfleming at starnetworks.us
Sat Mar 12 00:34:23 MST 2005


Deti Fliegl wrote:
> This is a preliminary fix for the exploit identified in my last 
> postings. By far it would be better to fix the find_user call to look 
> for both, the From-header and an username in the 
> Proxy-Authorization-header. We even should set a environment variable 
> (which can be used for dialplans) to return the auth username.

But there is no need for this... if you have a peer that is not allowed 
to make calls, just send it into a context that does not exist. Every 
INVITE it sends you will fail.

In the fairly near future, chan_sip will probably lose the entire 
concept of user/peer, and just go entirely to peer. There is no 
particular advantage to separating them, and a ton of duplicated code to 
support them.



More information about the asterisk-users mailing list