[Freeswitch-users] SIP users

David Knell dave at 3c.co.uk
Wed Dec 26 07:47:15 PST 2007


Brian West wrote:
> On Dec 26, 2007, at 8:02 AM, David Knell wrote:
>
>   
>> Less wordily, any user can get any other user's calls by changing  
>> their SIP username
>> to match that user's.
>>     
>
>
> How can they do that if auth calls is turned on?  If you have blind  
> reg on then sure someone could.
>
>   
They can do it because their SIP username is not necessarily the same as 
the name
used for authentication, and its the SIP username that's used for call 
routing.  Here's a bit
of a REGISTER:

Via: SIP/2.0/UDP 
192.168.0.103:42074;branch=z9hG4bK-d8754z-894af021546db132-1---d8754z-;rport
Max-Forwards: 70
Contact: 
<sip:sipusername at 75.71.186.17:42074;rinstance=65c73083353adf9d>;expires=0
To: "sipdisplayname"<sip:sipusername at 78.129.143.200>
From: "sipdisplayname"<sip:sipusername at 78.129.143.200>;tag=b2127143
Call-ID: NjY0MmU5ZjhhMTJhZmFlYWJhMmM4MDY3NTVjZjlkYWI.
CSeq: 3 REGISTER
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
SUBSCRIBE, INFO
User-Agent: eyeBeam release 1013t stamp 43070
Authorization: Digest 
username="sipauthname",realm="78.129.143.200",nonce="2da9c5ae-b512-11dc-92d4a9bf24bac484",uri="sip:78.129.143.200",response="c13fe382888ec016e234595b608caab0",cnonce="780c520efb22fe9fdf270fd8cd5e2a28",nc=00000002,qop=a
Content-Length: 0

- note that sipdisplayname, sipusername and sipauthname are all distinct.

--Dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20071226/51223edd/attachment-0002.html 


More information about the FreeSWITCH-users mailing list