[ openser-Bugs-1850882 ] [permissions] bug in default "register.deny"
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
[ openser-Bugs-1850882 ] [permissions] bug in default "register.deny"
by SourceForge.net
::
Rate this Message:
Bugs item #1850882, was opened at 2007-12-14 17:26
Message generated for change (Comment added) made by ibc_sf You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1850882&group_id=139143 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Iaki Baz (ibc_sf) Assigned to: Henning Westerholt (henningw) Summary: [permissions] bug in default "register.deny" Initial Comment: Hi, the file "register.deny" included in: http://openser.svn.sourceforge.net/viewvc/openser/trunk/modules/permissions/config/register.deny?view=markup puts as example a gw with IP 1.2.3.4 and a regular expresion: ALL : "^sip:.*1\.2\.3\.4$" This is obviosly vulnerable because a malicious user could send a REGISTER with: Contact: <sip:PSTN_number@...> And IP 1.2.0003.4 is the same as 1.2.3.4 but wouldn't be matched by regular expression. Because that I propose to set: ALL : "^sip:.*0*1\.0*2\.0*3\.0*4$" to avoid any number of 0's. And other thing, the phrase: # (Don't forget to list also all hostnames that can # be used to reach the PSTN gateway) This is a false security recommendation since anyone can register a public domain pointing to any IP, so a malicious user could register a domain "blablabla.com" pointing to 1.2.3.4 and this would bypass "register.deny" security. ---------------------------------------------------------------------- >Comment By: Iaki Baz (ibc_sf) Date: 2008-07-08 09:41 Message: Logged In: YES user_id=1844020 Originator: YES Hi, take a look to this example: --------- ~$ host 217.12.6.29 29.6.12.217.in-addr.arpa domain name pointer rc1.vip.ukl.yahoo.com. ~$ host 217.12.06.29 217.12.06.29 has address 217.12.6.29 Host 217.12.06.29 not found: 3(NXDOMAIN) Host 217.12.06.29 not found: 3(NXDOMAIN) ~$ ping 217.12.06.29 PING 217.12.06.29 (217.12.6.29) 56(84) bytes of data. 64 bytes from 217.12.6.29: icmp_seq=1 ttl=245 time=69.5 ms 64 bytes from 217.12.6.29: icmp_seq=2 ttl=245 time=67.2 ms ----------- About my suggestion I just can point you the discussion it was in OpenSer-users maillist about it some time ago: http://openser.org/pipermail/users/2007-December/014853.html The conclusion was simple: The only and reliable solution to avoid fraudulent registrations (faked "Contact") is the use of blacklists, as Klaus suggested: http://openser.org/pipermail/users/2007-December/014867.html There is another way by using "register.deny" but avoiding registration with a hostname/domain in the "Contact" as Juha suggested: http://openser.org/pipermail/users/2007-December/014855.html But IMHO using "register.deny" (including there IP's but allowing hostnames/domains) is compeltely a securuty lack. Balcklists work perfectly for me. ---------------------------------------------------------------------- Comment By: Henning Westerholt (henningw) Date: 2008-07-07 13:43 Message: Logged In: YES user_id=337916 Originator: NO Hi Iaki, AFAIK resolve 1.2.0003.4 and 1.2.3.4 not to the same name, at least on my machine. With regards to the recommendation, do you've a better suggestion? Cheers, Henning ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1850882&group_id=139143 _______________________________________________ Devel mailing list Devel@... http://lists.openser.org/cgi-bin/mailman/listinfo/devel |
| Free Forum Powered by Nabble | Forum Help |