[Asterisk-Users] Asterisk security problem: authorized SIP users
can fake any callerid!
Deti Fliegl
deti at fliegl.de
Fri Mar 11 16:43:24 MST 2005
This is a preliminary fix for the exploit identified in my last
postings. By far it would be better to fix the find_user call to look
for both, the From-header and an username in the
Proxy-Authorization-header. We even should set a environment variable
(which can be used for dialplans) to return the auth username.
--- channels/chan_sip.c~ 2005-03-12 00:23:37.042949169 +0100
+++ channels/chan_sip.c 2005-03-12 00:23:37.123942442 +0100
@@ -5487,7 +5487,7 @@
free(user);
#endif
ast_mutex_unlock(&userl.lock);
- if (!user) {
+ if (!user && strcasecmp(cmd, "INVITE")) {
/* If we didn't find a user match, check for peers */
ast_mutex_lock(&peerl.lock);
/* Look for peer based on the IP address we received
data from */
More information about the asterisk-users
mailing list