ARI misc/audio.php recording Variable Traversal Arbitrary File Access

2006-04-20T10:02:36
ID OSVDB:24806
Type osvdb
Reporter Francois Harvey(fharvey@securiweb.net)
Modified 2006-04-20T10:02:36

Description

Vulnerability Description

Asterisk Recording Interface contains a flaw that allows a remote attacker to access other user's voice mail. The issue is due to the '/recordings/misc/audio.php' script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'recording' variable. This may lead to a loss of confidentiality of '.mp3', '.wav' and '.gsm' voice mail messages. In addition, attackers might be able to determine the existence of files of other files within the remote file system.

Solution Description

Upgrade to version 0.10.00 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Asterisk Recording Interface contains a flaw that allows a remote attacker to access other user's voice mail. The issue is due to the '/recordings/misc/audio.php' script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'recording' variable. This may lead to a loss of confidentiality of '.mp3', '.wav' and '.gsm' voice mail messages. In addition, attackers might be able to determine the existence of files of other files within the remote file system.

Manual Testing Notes

http://[target]/recordings/misc/audio.php?recording=/var/spool/asterisk/voicemail/default/<mailbox>/INBOX/msg####.wav

References:

Vendor URL: http://www.littlejohnconsulting.com/?q=node/11 Security Tracker: 1015164 Secunia Advisory ID:19744 Related OSVDB ID: 24805 Other Advisory URL: http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2006.1 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0536.html FrSIRT Advisory: ADV-2006-1457 CVE-2006-2021 Bugtraq ID: 17641