The save function from the registrar module uses the To header to disect and store the username for the location table according to observations and documentation http://www.kamailio.org/docs/modules/stable/modules/registrar.html#registrar.f.save
After troubleshooting a ticket from an enduser unable to receive calls where all looked fine but the username used for authentication wasn't showing up in the location database. Finally I found the REGISTER was added to the location database, but not with the user its username, instead it was using the username (phonenumber) specified in the To header. Till now I always assumed that the username in the location table would be the username used during authentication(*). This opens the door to hijacking incoming calls to other users on the same kamailio registrar if one knows/guesses other usernames and use those in the To header. This realisation is kind of shocking to me. The solution is simple (if authentication is required): save("location", "0x00", "sip:$au@$rd"); *: which kind of answers my question in the subject, what else can be used if there is no authentication required? _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users