[Asterisk-Users] Asterisk security problem: authorized SIP users
can fake any callerid!
Andres
andres at telesip.net
Sun Mar 13 22:27:12 MST 2005
Deti Fliegl wrote:
> Hi there,
>
> all that started by investigating what happens if SIP clients are
> calling anonymously.
> The problem: Every client who is registered as a regular user with
> username and secret can fake any callerid in subsequent INVITEs.
> Asterisk does not apply an accountcode or callerid from sip.conf.
> Those calls end up unbilled and untraceable.
I just tested this. You are totally right.
Simple way to reproduce this with a Sipura:
1. Have the unit register with your Asterisk provider.
2. Then under the advanced settings change Register to "No" and Make
Calls Without Register to "Yes"
3. Change your username.
4. Make a call and see how it does not show up under your cdrs!
I would consider this a major problem. Anyone depending on this might
want to open up a bug report.
>
> Is there any way to fix this problem - did I misunderstand something,
> what am I doing wrong?
>
--
Andres
Network Admin
http://www.telesip.net
More information about the asterisk-users
mailing list