Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

[Deti Fliegl]

This is a preliminary fix for the exploit identified in my last 
postings. By far it would be better to fix the find_user call to look 
for both, the From-header and an username in the 
Proxy-Authorization-header. We even should set a environment variable 
(which can be used for dialplans) to return the auth username.

--- channels/chan_sip.c~        2005-03-12 00:23:37.042949169 +0100
+++ channels/chan_sip.c 2005-03-12 00:23:37.123942442 +0100
@@ -5487,7 +5487,7 @@
                free(user);
 #endif
        ast_mutex_unlock(&userl.lock);
-       if (!user) {
+       if (!user && strcasecmp(cmd, "INVITE")) {
                /* If we didn't find a user match, check for peers */
                ast_mutex_lock(&peerl.lock);
                /* Look for peer based on the IP address we received 
data from */

_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users