[Freeswitch-users] [Security Issue][Need urgent comment]
Brian West
brian at freeswitch.com
Fri Jan 26 19:51:29 UTC 2018
I actually did that on purpose, so if you disable auth on internal you
don't accidentally open ourself up for fraud.
/b
On Fri, Jan 26, 2018 at 1:35 PM, Bilal Abbasi <bilaln018 at gmail.com> wrote:
> Brain,
> Thanks alot, it was exactly as you said, i was infact even more wondering
> that why call on internal sip profile goes on public context, anyway its
> clear now.
> thank you everyone for such quick responses, highly appretiated.
>
> Regards
> Abbasi
>
> On Sat, 27 Jan 2018 at 12:20 AM, Abaci B <abaci64 at gmail.com> wrote:
>
>> Are you by chance using xml_curl or some other dynamic method to generate
>> the users?
>>
>> On Fri, Jan 26, 2018 at 2:14 PM, Bilal Abbasi <bilaln018 at gmail.com>
>> wrote:
>>
>>> "default" is the ONLY user that gets register with any password(i tried
>>> from my own softphone), if i try any valid user like 1000,1001 i am not
>>> able to register.
>>>
>>> On Sat, Jan 27, 2018 at 12:08 AM, Bilal Abbasi <bilaln018 at gmail.com>
>>> wrote:
>>>
>>>> Here is the sngrep screen shot, i guess if i did the blind accept, it
>>>> should not reply back with 401(just assumption)
>>>>
>>>> On Sat, Jan 27, 2018 at 12:03 AM, Bilal Abbasi <bilaln018 at gmail.com>
>>>> wrote:
>>>>
>>>>> Yes it's challenging auth, and after auth whatever password is
>>>>> configured on softphone it sends 200OK.
>>>>> and i have
>>>>> <param name="accept-blind-reg" value="false"/>
>>>>>
>>>>> On Sat, Jan 27, 2018 at 12:00 AM, Michael Jerris <mike at jerris.com>
>>>>> wrote:
>>>>>
>>>>>> is it challenging for auth or no? maybe you have blind reg turned
>>>>>> on?
>>>>>>
>>>>>> On Jan 26, 2018, at 1:41 PM, Bilal Abbasi <bilaln018 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> Hi Users,
>>>>>> I am using FreeSWITCH Version 1.6.19 git c540248 .
>>>>>> today i noticed very weird issue, that i am getting an attack on one
>>>>>> of my dev servers, that somebody is trying to make calls out of the box.
>>>>>> And he is able to register the phone via "default" username(check via
>>>>>> sngrep), i am using complex password and there is NO USER with name
>>>>>> "DEFAULT" on my switch.
>>>>>> I tried to register the default user with any random password and it
>>>>>> allowed me to register on my softphone.
>>>>>> I am really worried, and i can't believe that it's something at FS
>>>>>> end.
>>>>>> I am sure its some mistake, can somebody help me out please.
>>>>>>
>>>>>>
>>>>>>
>>>>>> ____________________________________________________________
>>>>>> _____________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/
>>>>>> options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
--
Brian West | Co-founder and Developer
Need Commercial support? email sales at freeswitch.com
FreeSWITCH Solutions | 17345 Civic Drive #2531 Brookfield, WI 53045
<https://maps.google.com/?q=17345+Civic+Drive+%232531+Brookfield,+WI+53045&entry=gmail&source=g>
Email: brian at freeswitch.com
Mobile: 918-424-9378
Website: https://www.FreeSWITCH.com <https://www.freeswitch.com/>
[image: color-facebook-96.png] <https://www.facebook.com/freeswitch/>[image:
color-twitter-96.png]
<https://twitter.com/freeswitch?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180126/645bd088/attachment.html>
More information about the FreeSWITCH-users
mailing list