On Thu, Mar 10, 2011 at 6:57 AM, Michael Scheidell < [email protected]> wrote:
> On 3/9/11 5:48 PM, Mircea Carasel wrote: > > This web server is not secured in any way, and basically anyone can write a > SOAP client and get ongoing calls: > http://wiki.sipfoundry.org/display/sipXecs > /Configuration+SOAP+API > > I was thinking and wondering if this is a security issue; I know that for > instance sipXconfig SOAP services are secured > > I need to ask, and be clear on the question. > > are you saying that ADDING REST is a security issue? > or are you saying that NOW anyone can write a SOAP client since sipx does > not authenticate? > He said neither thing. He said he was adding a service to get CDR active calls via soap. This particular CDR service has its own web interface and is currently not secured by any method. He was looking for input. He also said sipxecs soap services ARE secured. HIS specific CDR service only shows the CDR data of calls in progress. I think it would be nice to secure this piece as well, but I'm not sure how much it matters to others. I don't think I would go as far as say this is any type of security issue. Noone is using this service, and it exposes NO credentials. *"I know that for instance sipXconfig SOAP services are secured"* > what can a SOAP client do? > > lets just make it easy on everyone who forgets their passwords. I have a > patch that removes all authentication from sipx. This way, if you write a > program that scans the internet, looking for open sipx servers, you can use > the sipx system, make click to dial calls, initiate conferences and add > users without the bothersum user name password thing. why bother making > hackers brute force a username/password?. > > OF COURSE THIS IS A SECURITY ISSUE. YOU SHOULD NEVER HAVE DISCLOSED THIS > IN PUBLIC WITHOUT FIRST WORKING ON A PATCH. NOW EVERY SIPX SYSTEM OUT THERE > IS VULNERABLE TO HACKERS AND TOLL FRAUD AND YOU JUST TOLD THEM hOW TO HACK > IT. > > WE ARE REMOVING PUBLIC ACCESS TO PORT 8443 RIGHT NOW. > > -- > Michael Scheidell, CTO > o: 561-999-5000 > d: 561-948-2259 > ISN: 1259*1300 > > *| *SECNAP Network Security Corporation > > - Best Intrusion Prevention Product, Networks Product Guide > - Certified SNORT Integrator > - Hot Company Award, World Executive Alliance > - Best in Email Security, 2010 Network Products Guide > - King of Spam Filters, SC Magazine > > > ------------------------------ > > This email has been scanned and certified safe by SpammerTrap®. > For Information please see http://www.secnap.com/products/spammertrap/ > ------------------------------ > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.326.5325 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Contract Customers: http://support.myitdepartment.net <http://support.myitdepartment.net>Blog: http://blog.myitdepartment.net Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
_______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev/
