Project

General

Profile

Bug #16935

Updated by Jim Pingle 1 day ago

If a malicious user can register with siproxd using a specially-crafted registration URI, that string can be printed back to the user without encoding on @siproxd_registered_phones.php@. 

 For example: 
 <pre> 
 Contact: <sip:<svg/onload="alert(String.fromCharCode(88,83,83))">@198.51.100.34:5088>;expires=600 
 </pre> 

 An easy way to test is to copy the following data over @/var/siproxd/siproxd_registrations@ and refresh the page immediately: 

 <pre> 
 ****:1:1783365905 
 sip:<svg/onload="alert(String.fromCharCode(88,83,83))" 
 sip:user@10.34.0.10:5061 
 sip:user@198.51.100.34:5061 
 </pre> 

 Reported by: @lujiefsi 

Back