ARI includes/main.conf Credential Disclosure

2006-04-20T10:02:36
ID OSVDB:24805
Type osvdb
Reporter Francois Harvey(fharvey@securiweb.net)
Modified 2006-04-20T10:02:36

Description

Vulnerability Description

Asterisk Recording Interface contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker requests the configuration file '/recordings/includes/main.conf' directly, as there are no controls to prevent such access. This will disclose the application's configuration information, including administrative and database passwords, resulting in a loss of confidentiality.

Solution Description

Upgrade to version 0.10.00 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Asterisk Recording Interface contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker requests the configuration file '/recordings/includes/main.conf' directly, as there are no controls to prevent such access. This will disclose the application's configuration information, including administrative and database passwords, resulting in a loss of confidentiality.

References:

Vendor URL: http://www.littlejohnconsulting.com/?q=node/11 Secunia Advisory ID:19744 Related OSVDB ID: 24806 Other Advisory URL: http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2006.1 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0536.html FrSIRT Advisory: ADV-2006-1457 CVE-2006-2020 Bugtraq ID: 17641