Voicemail wav file downloads
I purchased and installed FOP2, with the Voicemail Explorer add-on, on Friday, and have not been able to get Voicemail Explorer to play the message audio in the browser. When I looked at our Apache logs, I saw that requests for download.php were failing.
I did a little bit of looking into this (though I haven't gotten it working yet) and discovered a couple of problems: First of all, the Apache user needs to have read access to the voicemail directory and files. More importantly, it appears that download.php has no access control of any kind, other than that the file extension is wav. Unless I'm missing something, this PHP script will happily serve any wav file on the system that the Apache user can access - with no access control of any kind. Therefore, given the predictable filename scheme of Asterisk voicemail spools, it would be trivial to download the voicemail messages of any known mailbox on the system.
Am I missing something?
I did a little bit of looking into this (though I haven't gotten it working yet) and discovered a couple of problems: First of all, the Apache user needs to have read access to the voicemail directory and files. More importantly, it appears that download.php has no access control of any kind, other than that the file extension is wav. Unless I'm missing something, this PHP script will happily serve any wav file on the system that the Apache user can access - with no access control of any kind. Therefore, given the predictable filename scheme of Asterisk voicemail spools, it would be trivial to download the voicemail messages of any known mailbox on the system.
Am I missing something?
Comments