[Asterisk-Users] Asterisk security problem: authorized SIP users
can fake any callerid!
Kevin P. Fleming
kpfleming at starnetworks.us
Sat Mar 12 00:34:23 MST 2005
Deti Fliegl wrote:
> This is a preliminary fix for the exploit identified in my last
> postings. By far it would be better to fix the find_user call to look
> for both, the From-header and an username in the
> Proxy-Authorization-header. We even should set a environment variable
> (which can be used for dialplans) to return the auth username.
But there is no need for this... if you have a peer that is not allowed
to make calls, just send it into a context that does not exist. Every
INVITE it sends you will fail.
In the fairly near future, chan_sip will probably lose the entire
concept of user/peer, and just go entirely to peer. There is no
particular advantage to separating them, and a ton of duplicated code to
support them.
More information about the asterisk-users
mailing list