CVE
- Id
- 5059
- CVE No.
- CVE-2002-0669
- Status
- Candidate
- Description
- The web interface for Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 allows administrators to cause a denial of service by modifying the SIP_AUTHENTICATE_SCHEME value to force authentication of incoming calls, which does not notify the user when an authentication failure occurs.
- Phase
- Proposed (20030317)
- Votes
- ACCEPT(1) Cole | NOOP(2) Cox, Wall | REJECT(1) Baker
- Comments
- Baker> I don"t believe that a configuration option by the administrator is a | vulnerability. The fact that the administrator can require authentication | of users attempting to use the service, without notifying users that | are NOT using authentication is not a vulnerability. For example, I | could configure sshd to allow only certain hosts to connect, by means of | a key, and if someone else tried to connect that is not authorized, it | would disallow it. Similarly, the administrator could require authentication | and only notify those users allowed to connect of the necessary authentication | credentials to preclude un-authorized use of the system. The only way I would | see this as a vulnerability was if the change was able to be made without | the proper credentials through some fault in the program, or if there was no way to enable authentication on | any client trying to connect which would render the system unusable to everyone | (but that would still not really be a vulnerability as much as a "stupid | feature") | The ability to make this change afer gaining administrator priveleges by means | of another vulnerability does not make this a vulnerability. I would classify | this as a configuration setting that can severly restrict access, at the discretion | of the administrator.
