[Freeswitch-users] [Security Issue][Need urgent comment]
Bilal Abbasi
bilaln018 at gmail.com
Fri Jan 26 19:14:36 UTC 2018
"default" is the ONLY user that gets register with any password(i tried
from my own softphone), if i try any valid user like 1000,1001 i am not
able to register.
On Sat, Jan 27, 2018 at 12:08 AM, Bilal Abbasi <bilaln018 at gmail.com> wrote:
> Here is the sngrep screen shot, i guess if i did the blind accept, it
> should not reply back with 401(just assumption)
>
> On Sat, Jan 27, 2018 at 12:03 AM, Bilal Abbasi <bilaln018 at gmail.com>
> wrote:
>
>> Yes it's challenging auth, and after auth whatever password is configured
>> on softphone it sends 200OK.
>> and i have
>> <param name="accept-blind-reg" value="false"/>
>>
>> On Sat, Jan 27, 2018 at 12:00 AM, Michael Jerris <mike at jerris.com> wrote:
>>
>>> is it challenging for auth or no? maybe you have blind reg turned on?
>>>
>>> On Jan 26, 2018, at 1:41 PM, Bilal Abbasi <bilaln018 at gmail.com> wrote:
>>>
>>> Hi Users,
>>> I am using FreeSWITCH Version 1.6.19 git c540248 .
>>> today i noticed very weird issue, that i am getting an attack on one of
>>> my dev servers, that somebody is trying to make calls out of the box.
>>> And he is able to register the phone via "default" username(check via
>>> sngrep), i am using complex password and there is NO USER with name
>>> "DEFAULT" on my switch.
>>> I tried to register the default user with any random password and it
>>> allowed me to register on my softphone.
>>> I am really worried, and i can't believe that it's something at FS end.
>>> I am sure its some mistake, can somebody help me out please.
>>>
>>>
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180127/c01d2798/attachment.html>
More information about the FreeSWITCH-users
mailing list