[Freeswitch-users] SIP users
David Knell
dave at 3c.co.uk
Wed Dec 26 10:47:15 EST 2007
Brian West wrote:
> On Dec 26, 2007, at 8:02 AM, David Knell wrote:
>
>
>> Less wordily, any user can get any other user's calls by changing
>> their SIP username
>> to match that user's.
>>
>
>
> How can they do that if auth calls is turned on? If you have blind
> reg on then sure someone could.
>
>
They can do it because their SIP username is not necessarily the same as
the name
used for authentication, and its the SIP username that's used for call
routing. Here's a bit
of a REGISTER:
Via: SIP/2.0/UDP
192.168.0.103:42074;branch=z9hG4bK-d8754z-894af021546db132-1---d8754z-;rport
Max-Forwards: 70
Contact:
<sip:sipusername at 75.71.186.17:42074;rinstance=65c73083353adf9d>;expires=0
To: "sipdisplayname"<sip:sipusername at 78.129.143.200>
From: "sipdisplayname"<sip:sipusername at 78.129.143.200>;tag=b2127143
Call-ID: NjY0MmU5ZjhhMTJhZmFlYWJhMmM4MDY3NTVjZjlkYWI.
CSeq: 3 REGISTER
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
SUBSCRIBE, INFO
User-Agent: eyeBeam release 1013t stamp 43070
Authorization: Digest
username="sipauthname",realm="78.129.143.200",nonce="2da9c5ae-b512-11dc-92d4a9bf24bac484",uri="sip:78.129.143.200",response="c13fe382888ec016e234595b608caab0",cnonce="780c520efb22fe9fdf270fd8cd5e2a28",nc=00000002,qop=a
Content-Length: 0
- note that sipdisplayname, sipusername and sipauthname are all distinct.
--Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20071226/51223edd/attachment.html
More information about the Freeswitch-users
mailing list