<div dir="ltr"><font face="arial, helvetica, sans-serif" color="#000000" style="background-color:rgb(255,255,255)">Read directory/default/default.xml</font><div><font face="arial, helvetica, sans-serif" color="#000000" style="background-color:rgb(255,255,255)"><br></font></div><div><font face="arial, helvetica, sans-serif" color="#000000" style="background-color:rgb(255,255,255)">This will actually cause nothing to happen, If you realize the context on the profile is public, they will not be able to actually do anything as they'll be assigned to context on the profile since that user doesn't have a user_context variable.</font></div><div><font face="arial, helvetica, sans-serif" color="#000000" style="background-color:rgb(255,255,255)"><br></font></div><div><font face="arial, helvetica, sans-serif" color="#000000" style="background-color:rgb(255,255,255)">It states exactly this:</font></div><div><font face="arial, helvetica, sans-serif" color="#000000" style="background-color:rgb(255,255,255)"><br></font></div><div><p style="margin:0px;font-stretch:normal;line-height:normal"><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font face="arial, helvetica, sans-serif" color="#000000"> ATTENTION PLEASE READ THIS... (I know you won't but you've been warned) </font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;min-height:26px"><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font face="arial, helvetica, sans-serif" color="#000000"> </font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal"><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font face="arial, helvetica, sans-serif" color="#000000"> Let it be known that this user can register without a password but since we do not assign </font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal"><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font face="arial, helvetica, sans-serif" color="#000000"> this user a user_context and we don't authenticate this user they will be put in context 'public'. </font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;min-height:26px"><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font face="arial, helvetica, sans-serif" color="#000000"> </font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal"><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font face="arial, helvetica, sans-serif" color="#000000"> This isn't a security issue as the endpoint would be put into the same context 'public' as the </font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal"><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font face="arial, helvetica, sans-serif" color="#000000"> sofia profile that starts on 5080 by default. If you're paranoid just remove this file and </font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal"><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font face="arial, helvetica, sans-serif" color="#000000"> remove the external profile also. </font></span></p><p style="margin:0px;font-stretch:normal;font-size:26px;line-height:normal;font-family:New;color:rgb(153,0,0);background-color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><br></span></p></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 26, 2018 at 1:14 PM, Bilal Abbasi <span dir="ltr"><<a href="mailto:bilaln018@gmail.com" target="_blank">bilaln018@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">"default" is the ONLY user that gets register with any password(i tried from my own softphone), if i try any valid user like 1000,1001 i am not able to register.</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jan 27, 2018 at 12:08 AM, Bilal Abbasi <span dir="ltr"><<a href="mailto:bilaln018@gmail.com" target="_blank">bilaln018@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Here is the sngrep screen shot, i guess if i did the blind accept, it should not reply back with 401(just assumption)</div><div class="m_6600071729509688633HOEnZb"><div class="m_6600071729509688633h5"><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jan 27, 2018 at 12:03 AM, Bilal Abbasi <span dir="ltr"><<a href="mailto:bilaln018@gmail.com" target="_blank">bilaln018@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Yes it's challenging auth, and after auth whatever password is configured on softphone it sends 200OK.<div>and i have </div><div><span class="m_6600071729509688633m_2038638445344449330m_3650668160651168244gmail-s1" style="font-family:Monaco;font-size:10px;font-variant-ligatures:no-common-ligatures;color:rgb(244,244,244)"> </span><span class="m_6600071729509688633m_2038638445344449330m_3650668160651168244gmail-s2" style="font-family:Monaco;font-size:10px;font-variant-ligatures:no-common-ligatures;color:rgb(52,187,200)"><param </span><span class="m_6600071729509688633m_2038638445344449330m_3650668160651168244gmail-s3" style="font-family:Monaco;font-size:10px;font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">name</span><span class="m_6600071729509688633m_2038638445344449330m_3650668160651168244gmail-s1" style="font-family:Monaco;font-size:10px;font-variant-ligatures:no-common-ligatures;color:rgb(244,244,244)">=</span><span class="m_6600071729509688633m_2038638445344449330m_3650668160651168244gmail-s4" style="color:rgb(195,55,32);font-family:Monaco;font-size:10px;font-variant-ligatures:no-common-ligatures">"accept-blind-reg"</span><span class="m_6600071729509688633m_2038638445344449330m_3650668160651168244gmail-s2" style="font-family:Monaco;font-size:10px;font-variant-ligatures:no-common-ligatures;color:rgb(52,187,200)"> </span><span class="m_6600071729509688633m_2038638445344449330m_3650668160651168244gmail-s3" style="font-family:Monaco;font-size:10px;font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">value</span><span class="m_6600071729509688633m_2038638445344449330m_3650668160651168244gmail-s1" style="font-family:Monaco;font-size:10px;font-variant-ligatures:no-common-ligatures;color:rgb(244,244,244)">=</span><span class="m_6600071729509688633m_2038638445344449330m_3650668160651168244gmail-s4" style="color:rgb(195,55,32);font-family:Monaco;font-size:10px;font-variant-ligatures:no-common-ligatures">"false"</span><span class="m_6600071729509688633m_2038638445344449330m_3650668160651168244gmail-s2" style="font-family:Monaco;font-size:10px;font-variant-ligatures:no-common-ligatures;color:rgb(52,187,200)">/></span></div>
</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_6600071729509688633m_2038638445344449330h5">On Sat, Jan 27, 2018 at 12:00 AM, Michael Jerris <span dir="ltr"><<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_6600071729509688633m_2038638445344449330h5"><div style="word-wrap:break-word">is it challenging for auth or no? maybe you have blind reg turned on? <span><div><br><div><blockquote type="cite"><div>On Jan 26, 2018, at 1:41 PM, Bilal Abbasi <<a href="mailto:bilaln018@gmail.com" target="_blank">bilaln018@gmail.com</a>> wrote:</div><br class="m_6600071729509688633m_2038638445344449330m_3650668160651168244m_-8495716828034092378Apple-interchange-newline"><div><div dir="ltr">Hi Users,<div>I am using FreeSWITCH<span style="background-color:rgb(255,255,255)"><font> <font face="arial, helvetica, sans-serif"><span style="font-variant-ligatures:no-common-ligatures">Version 1.6.19 git c540248</span><span class="m_6600071729509688633m_2038638445344449330m_3650668160651168244m_-8495716828034092378gmail-Apple-converted-space" style="font-variant-ligatures:no-common-ligatures"> .</span></font></font></span></div><div>today i noticed very weird issue, that i am getting an attack on one of my dev servers, that somebody is trying to make calls out of the box.</div><div>And he is able to register the phone via "default" username(check via sngrep), i am using complex password and there is NO USER with name "DEFAULT" on my switch.</div><div>I tried to register the default user with any random password and it allowed me to register on my softphone.</div><div>I am really worried, and i can't believe that it's something at FS end.</div><div>I am sure its some mistake, can somebody help me out please.</div></div></div></blockquote></div><br></div></span></div><br></div></div><span>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/free<wbr>switch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></span></blockquote></div><br></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div style="font-size:12.8px"><font color="#000000"><img src="https://docs.google.com/uc?export=download&id=1xswZRZyVDo0WQhaemK47pU266yzDRmi0&revid=0B2xnT7i45ngrMTVKM1dpSHZIN28zU0QzbW9xeVF6RXFyRHhBPQ"><br></font></div><div style="font-size:12.8px"><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt;margin-left:4.5pt"><span style="font-size:8pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font color="#000000">Brian West | Co-founder and Developer</font></span></p><p style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt;margin-left:4.5pt"><span style="font-size:8pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font color="#000000">Need Commercial support? email <a href="mailto:sales@freeswitch.com" target="_blank">sales@freeswitch.com</a> </font></span></p><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt;margin-left:4.5pt"><span style="font-size:8pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font color="#000000">FreeSWITCH Solutions | <a href="https://maps.google.com/?q=17345+Civic+Drive+%232531+Brookfield,+WI+53045&entry=gmail&source=g" style="color:rgb(17,85,204)" target="_blank">17345 Civic Drive #2531 Brookfield, WI 53045</a></font></span></p><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt;margin-left:4.5pt"><font color="#000000"><span style="font-size:8pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Email: </span><span style="color:rgb(17,85,204);font-size:8pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><a href="mailto:brian@freeswitch.com" target="_blank">brian@freeswitch.com</a></span></font></p><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt;margin-left:4.5pt"><span style="font-size:8pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font color="#000000">Mobile: 918-424-9378</font></span></p><p dir="ltr" style="font-size:12.8px;line-height:1.38;margin-top:0pt;margin-bottom:0pt;margin-left:4.5pt"><font color="#000000"><span style="font-size:8pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Website: </span><a href="https://www.freeswitch.com/" style="color:rgb(17,85,204)" target="_blank"><span style="font-size:8pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">https://www.FreeSWITCH.com</span></a></font></p><p dir="ltr" style="font-size:12.8px;line-height:1.2;margin-top:0pt;margin-bottom:0pt"><font color="#000000"><a href="https://www.facebook.com/freeswitch/" style="color:rgb(17,85,204)" target="_blank"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><img src="https://lh6.googleusercontent.com/l9_7QxvYIM4pcdS6eXAkIOZKqHnR2mYmt879_LZ93jSG-uGqOLzO0KVlBzTnPxn7QwU7I0Ednhi0MT_4nRGSobPt4f-LXMWr891Agu25Mvx-AD3k45rf6vUBquJW8NMPkHb_DBaK" width="23" height="23" alt="color-facebook-96.png" style="border:none"></span></a><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><a href="https://twitter.com/freeswitch?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor" style="color:rgb(17,85,204)" target="_blank"><img src="https://lh5.googleusercontent.com/_iuGyx4UVI8fg3j3y7xgK6SX7BeTVYO7CLvH29tkkdgRnugoB6Ry39J5IcLdAKinOWuYrprkLisaB8sxMNrHgXAaHBy-GC1510iJrNIwBP5bCM_LGbOisxBTgao6yWITZ4lgQZVD" width="23" height="23" alt="color-twitter-96.png" style="border:none"></a></span></font></p></div></div></div></div></div></div></div></div></div></div></div></div>
</div>