[OpenSIPS-Users] Permissions and domains?

Iñaki Baz Castillo ibc at aliax.net
Sun Feb 27 19:08:15 CET 2011


2011/2/24 Toyima Dias <toyimads at gmail.com>:
> I have an Asterisk as a GW, i don't want to ask for authentication to
> incoming calls (coming from the Asterisk), so i did the following:
>
> Previously i added the IP of the Asterisk to the table "domain" so the
> function is_from_local could check the from domain in the domain table and
> get into the if bucle

This is wrong and a real security hole. is_from_local() function just
checks the existance of the From domain of the request in "domain"
table. Any attacker in the world can send a spoofed request with such
a domain to your opensips. Will you allow it to access just because
the From domain is the same as the IP of your Asterisk?

Use tables and functions in permissions module, just it.

-- 
Iñaki Baz Castillo
<ibc at aliax.net>



More information about the Users mailing list