Asterisk VoIP News

Thursday, November 10, 2005

Bugs: Asterisk vmail.cgi vulnerability

Matt Riddell of SineApps has posted details of the vulnerability. Good Job! - Vulnerability Advisory
Release Date:

Asterisk Web-VoiceMail (Comedian VoiceMail)

Asterisk is a complete PBX in software. It runs on Linux, BSD and MacOSX and provides all of the features you would expect from a PBX and more.
Asterisk does voice over IP in many protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware.

Versions affected:
Asterisk Versions <= 1.0.9
Asterisk Beta Versions <= 1.2.0-beta1
Asterisk @ Home Versions <= 1.5
Asterisk @ Home Beta Versions <= 2.0 Beta 4

Vulnerability discovered:

A vulnerability in the voicemail retrieval system allows an authenticated user to download any .wav/.WAV file from the system, including other users voicemail messages.

Low - Insecure web-ui causes breach of privacy

Vulnerability information:

vmail.cgi doesn't clean a parameter passed by the web user which is later used to open a file and return a raw stream to the user. This allows any authenticated user of the voicemail system to listen to other peoples messages, or to open any file with the extension .wav/.WAV on the system.


This will return:
when logged in as the 'extension 200' user.

Asterisk has released patches for the vulnerabilities.
Ensure you are running Asterisk versions > 1.0.9 / 1.2.0-beta1
Ensure you are running Asterisk @ Home versions > 1.5 / 2.0 beta 4

References: advisory

Asterisk advisory note:

Adam Pointon of

Disclosure timeline:
17-Oct-2005 - Discovered during a quick audit of the asterisk web ui
18-Oct-2005 - Email sent to support and the primary author
18-Oct-2005 - Immediate response received
31-Oct-2005 - Patched version committed to CVS
07-Nov-2005 - Advisory released