]> git.ipfire.org Git - thirdparty/asterisk.git/commit
projects / thirdparty / asterisk.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4628424) | patch
AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
authorRichard Mudgett <rmudgett@digium.com>
Mon, 30 Apr 2018 22:38:58 +0000 (17:38 -0500)
committerRichard Mudgett <rmudgett@digium.com>
Mon, 11 Jun 2018 15:28:21 +0000 (09:28 -0600)
commite01e83d4fc520d7b676663d89cf1016b16e0b803
tree9e08a90caa26f8c385f79b2e9bd72d17f505fd35tree | snapshot
parent462842488f791f850604f453e65f58c5001c99d7commit | diff
AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.

When endpoint specific ACL rules block a SIP request they respond with a
403 forbidden.  However, if an endpoint is not identified then a 401
unauthorized response is sent.  This vulnerability just discloses which
requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
access to the disclosed endpoints.

* Made endpoint specific ACL rules now respond with a 401 unauthorized
which is the same as if an endpoint were not identified.  The fix is
accomplished by replacing the found endpoint with the artificial endpoint
which always fails authentication.

ASTERISK-27818

Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32
res/res_pjsip/pjsip_distributor.c diff | blob | blame | history
Mirror of https://github.com/asterisk/asterisk.git