[asterisk-dev] bypass "contactdeny" option with nat=yes
Olle E. Johansson
oej at edvina.net
Tue May 4 14:49:35 CDT 2010
4 maj 2010 kl. 21.25 skrev Klaus Darilion:
> Hi!
>
> As suggested by the bugtracker manager I post this issue on the mailing
> list: https://issues.asterisk.org/view.php?id=17276
>
> The contactdeny option in sip.conf can be used to prevent that a user
> registers certain contact IPs. Therefore, the Contact URI is verified.
>
> But in case of "nat=yes", the contact URI is not even used for routing,
> thus it does not make sense to screen the contact URI. IMO it does not
> even make sense, but it is a bug because if the malicious user sends the
> requests from a denied IP address (e.g. using src-ip-spoofing) it is
> possible to bypass this security option.
>
> The solution is rather easy - in case of nat=yes the rcvd-address should
> be screened instead of the Contact URI.
I agree. Contactdeny should be used for what we SAVE in the registry,
not only what we receive from the devices.
/O
More information about the asterisk-dev
mailing list