| Summary: | ASTERISK-17115: Undefined SIP users can exploit default context to make calls | ||
| Reporter: | ngupta (ngupta) | Labels: | |
| Date Opened: | 2010-12-15 17:57:12.000-0600 | Date Closed: | 2011-06-07 14:01:00 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_sip/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | A sip client can exploit the default context created in asterisk server. Even when a user is not defined anywhere in asterisk config, that user can place calls to users or extensions through 'default' context. This is reproducible. Setup info is simple: 1. create an asterisk server 2. Dont care for any users 3. Start server 4. Pick any SIP client e.g. xten lite 5. Enter all info about asterisk server and pick a random user ID which does not exist on asterisk. 6. xten lite will keep showing some error and asterisk logs will show 'No matching peer found' 7. xten lite can still place calls to defined extensions 8. if outgoing plan is also part of 'default' context, then that undefined user was able to dial outside using trunk. I think this is a big security issue. | ||
| Comments: | By: ngupta (ngupta) 2010-12-15 18:08:28.000-0600 I found my own solution. In sip.conf, there is a default option allowguest = yes I changed it to 'no' and restarted asterisk. Its OK now. | ||