Re: [OpenSIPS-Users] Help dropping SQL injection attacks

2023-12-06 Thread Bogdan-Andrei Iancu

Hi Gregory,

For the grammar of the SIP username, see the 
https://www.ietf.org/rfc/rfc3261.html, page 221 - you have all the 
details there.


For the contact test, yes, it should be correct.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
  https://www.siphub.com

On 05.12.2023 14:45, Gregory Massel wrote:


Thank you Bogdan!

It's worth noting that, if using {s.escape.user}, it won't detect a 
SQL injection, however, it may detect other potentially problematic 
characters, so one then has to apply both checks individually, e.g.


if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
xlog ("Rejecting SQL injection attempt received from 
$socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
send_reply (403,"Forbidden");
exit;
}
if ( $fU != $(fU{s.escape.user}) || $tU != $(tU{s.escape.user}) ) {
xlog ("Rejecting request with unusual characters received from 
$socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
send_reply (403,"Forbidden");
exit;
}

So above doesn't block UTF-8; it just enforces that it must be 
received from the client in fully escaped form.


I'm gathering that UTF-8 is actually acceptable for the user part (and 
most other parts) of the URI, provided that it's encoded with '%'? I 
work with purely ASCII user parts however, out of interest, was 
wondering if it is allowable and/or commonplace to use Unicode 
extended character sets for any portions of the URI in parts of the 
world where other character sets are more frequently used? From what I 
could find, it seems that UTF16 is not allowed in the User Part and 
that the domain would be internationalised using Punycode, so the full 
URI should always be encoded in ASCII but with UTF-8 (but not UTF-16) 
permitted in %-encoded form for the user part?


With respect to the Contact header, I'm struggling a bit. Is the 
syntax below correct?


if ( $(ct.fields(uri){uri.user}) != 
$(ct.fields(uri){uri.user}{s.escape.common}) ) {
send_reply (403,"Forbidden");
exit;
}
--
Thanks
*Gregory Massel*

On 2023-12-05 11:33, Bogdan-Andrei Iancu wrote:

Hi Gregory,

As it is said, there is no single way to skin the cat :). Your 
approach is a valid one, by using the escaping transformation. Maybe 
you should check the s.escape.user [1].


Such checks make sense when using avp_db_query(), so raw queries. The 
internal queries (like auth, etc) are done via prepared statements, 
so safe to injections.


[1] https://www.opensips.org/Documentation/Script-Tran-3-2#s.escape.user

Regards,
Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
   https://www.siphub.com
On 30.11.2023 02:34, Gregory Massel via Users wrote:


Hi all

I'm wondering what the best practice is in terms of detection and 
dropping attempted SQL injection attacks?


Is something like the following adequate or can this be enhanced:

if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
drop();
}

Obviously this does not remove the need to escape anything passed to 
avp_db_query(), however, what I want to do is identify these sorts 
of attacks at the top of the script and avoid processing.


To date all the attacks I've seen focus on the contact and from 
user, e.g.:

INVITEsip:00111390237920793@x.x.x.x:5060;transport=UDP  SIP/2.0
Contact:
To:
From:;tag=v2pjtxqb
I'm not quite sure how to match the Contact user. Would the 
following work?

if ( $(ct.fields(uri){uri.user}) != 
$(ct.fields(uri){uri.user}{s.escape.common}) ) {
drop();
}
--
Regards
*Gregory Massel*

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


Re: [OpenSIPS-Users] Staless mode in opensips

2023-12-06 Thread Bogdan-Andrei Iancu

Hi,

If you want your OpenSIPS not to stay in the middle of the dialog (after 
the initial request) you should not do any record_route() and you should 
not use the dialog module at all.


Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
  https://www.siphub.com

On 05.12.2023 17:20, amel.gue...@sofrecom.com wrote:


Hello

Sorry if I wasn’t clear.

We would like to implement a dialog stateless SIP proxy. Once the 
correct SIP routing is found, we would like to allow the SIP-based 
elements to perform midcall signaling directly with one another.


Best regards,

*De :*Users  *De la part de* 
Bogdan-Andrei Iancu

*Envoyé :* mardi 5 décembre 2023 12:17
*À :* OpenSIPS users mailling list ; GUESMI 
Amel SOFRECOM 
*Cc :* BARKAOUI Chaker SOFRECOM ; 
DESGEORGE Guillaume INNOV/IT-S 

*Objet :* Re: [OpenSIPS-Users] Staless mode in opensips

Hi,

Your post is a bit confusing when comes to state (and statefull) - are 
you talking about transaction statefull or dialog statefull ?


Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
   https://www.siphub.com

On 05.12.2023 13:01, amel.gue...@sofrecom.com wrote:

Hi opensips experts,

We have always worked Opensips in a statefull mode and the first
words in the routing module description are “OpenSIPS is basically
/only/ a transaction statefull proxy”.

I’ve also seen that there was a stateless module “The SL module
allows OpenSIPS to act as a stateless UA server and generate
replies to SIP requests without keeping state” but is it possible
to use functionality of Opensips like dialplan and dispatcher
without keeping state of the dialog ?

Thanks for your help

On belhalf of my colleague Guillaume

BR, Amel



___

Users mailing list

Users@lists.opensips.org

http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


Re: [OpenSIPS-Users] OpenSIPS Control Panel supported OpenSIPS version question

2023-12-06 Thread rvg
Hi all,

I do not know where to post this, but maybe it is all right.

I use:
Opensips 3.4 compiled on Oracle VM ARM Ubuntu 22.04.2 LTS - php 7.4 with OCP 
9.3.3. Everything works!
Installed OCP 9.3.4 and many menues on the left side have no reaction:
CallCenter
keepalived
TLS management !
UAC registrant
SMPP Gateway
TCP Management

Regards,

Ronald Geerligs




October 2, 2023 at 8:49 AM, "Răzvan Crainea"  wrote:


> 
> Hi, Nineto!
> 
> Although it was not already released, OpenSIPS master branch should be 
> compatible with OpenSIPS 3.4. The compatibility process is not yet 
> complete, therefore a full release (9.3.4) is not available yet for 
> OpenSIPS 3.4.
> 
> Best regards,
> 
> Răzvan Crainea
> OpenSIPS Core Developer / SIPhub CTO
> http://www.opensips-solutions.com/ / https://www.siphub.com/
> 
> On 9/29/23 19:15, Nine to one wrote:
> 
> > 
> > Hello OpenSIPS Control Panel developers,
> >  
> >  From website OCP only mentioned support up to OpenSIPS 3.3, I am using 
> >  3.4, so want to know if current OCP already support OpenSIPS 3.4 or not.
> >  
> >  Thanks,
> >  Nineto
> >  
> >  ___
> >  Users mailing list
> >  Users@lists.opensips.org
> >  http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> > 
> 
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users