Opensips CP 8.3.2 session validation not checked
Integration-IT opened this issue · 0 comments
Integration-IT commented
Some pages do not check if the session is valid, it should be probably redirected to login page if error.
This example allows you to find information about an account without being registered from the login page.
curl -k "https://x.x.x.x/cp/tools/users/user_management/show_contacts.php?username=1234&domain=127.0.0.1" -s | grep 'searchRecord'
...
<td class="searchRecord" width="70" style="width: 70px;">Contact</td>
<td class="searchRecord" style="width: 230px;">sip:1234@...</td>
<td class="searchRecord" width="70">QValue</td>
<td class="searchRecord">n/a</td>
<td class="searchRecord" width="70">Expires</td>
<td class="searchRecord">34</td>
<td class="searchRecord" width="70">Flags</td>
<td class="searchRecord">0</td>
<td class="searchRecord" width="70">CFlags</td>
<td class="searchRecord">NAT</td>
<td class="searchRecord" width="70">Socket</td>
<td class="searchRecord">udp:...</td>
<td class="searchRecord" width="70">Methods</td>
<td class="searchRecord">...</td>
<td class="searchRecord" width="70">Received</td>
<td class="searchRecord">sip:...</td>
<td class="searchRecord" width="70">State</td>
<td class="searchRecord">CS_SYNC</td>
<td class="searchRecord" width="70">User Agent</td>
<td class="searchRecord">...</td>
Pages:
tools/users/user_management/show_contacts.php
tools/system/tviewer/apply_changes.php
tools/system/callcenter/apply_changes.php
tools/system/uac_registrant/apply_changes.php
tools/system/tls_mgm/apply_changes.php
tools/system/smpp/apply_changes.php
common/forms.php
footer.php
header.php
menu.php
blank.php