|
Family: CGI abuses --> Category: attack
Asterisk Recording Interface recording Parameter Information Disclosure Vulnerability Vulnerability Scan
Vulnerability Scan Summary Requests a file using ARI's misc/audio.php
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP application that is affected by
an information disclosure issue.
Description :
The remote host is running Asterisk Recording Interface (ARI), a
web-based portal for the Asterisk PBX software.
The version of ARI installed on the remote host reportedly allows an
unauthenticated attacker to retrieve arbitrary sound files, such as
voicemail messages, and to acertain the existence of other files on
the remote host by passing a specially crafted path to the 'recording'
parameter of the 'misc/audio.php' script.
See also :
http://www.securityfocus.com/archive/1/431655/30/0/threaded
Solution :
Upgrade to ARI 0.10 / Asterisk@Home 2.8 or later.
Threat Level:
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|