Security notice: Open recordings web directory

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Security notice: Open recordings web directory

Postby mflorell » Mon Oct 31, 2022 5:14 pm

I saw this posted today on Twitter, a scanning website has added a new plugin for finding "Vicidial instances exposing recordings"
https://twitter.com/search?q=vicidial&s ... ick&f=live

We do of course suggest at the very least password-protecting your recordings web directory to protect it.
mflorell
Site Admin
 
Posts: 18383
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Security notice: Open recordings web directory

Postby jamiemurray » Tue Nov 01, 2022 4:52 am

I had a thought about this some time ago, I had intended to create a php download handler that would handle the request to access a recording but perform user auth against vicidial before spitting the file out but never got around to doing it.
This would give the benefit of being able to completely remove the recordings folder from public view. Quickest way I could think of doing this without having to re-do all the existing scripts that touch recordings, is to use a rewrite condition to intercept the file access via /RECORDINGS/MP3, pass it to download.php for authorization and spit the file out if all goes ok, otherwise log the failed authentication like a failed user login.

Any suggestions or ideas? I'm thinking quick but solid fix that could potentially become the default with minimal dev work required. Any reason a similar solution hasn't already been implemented?
Skype: live:support_71847 | Tel: (US) +1 646 647 8850 (CA) +1 613 900 6456 (MX) +52 55 9990 3550 (UK) +44 1324 285022 (ES) +34 922 937 384
Managed Hosting - No tech skills required | VoIP Termination & DID numbering | https://jmurraysolutions.com
jamiemurray
 
Posts: 179
Joined: Fri Jan 11, 2013 4:12 pm
Location: Tenerife, Canary Islands

Re: Security notice: Open recordings web directory

Postby jamiemurray » Tue Nov 01, 2022 6:55 am

I gave it a try, it's working a treat on one of my test boxes. I've uploaded what I did on mantis.

http://www.vicidial.org/VICIDIALmantis/view.php?id=1386

Recordings are only accessible with valid vicidial login and modify leads permission. I thought about it after, it would need to be added to QC users too but the basics are there to get started :)
Skype: live:support_71847 | Tel: (US) +1 646 647 8850 (CA) +1 613 900 6456 (MX) +52 55 9990 3550 (UK) +44 1324 285022 (ES) +34 922 937 384
Managed Hosting - No tech skills required | VoIP Termination & DID numbering | https://jmurraysolutions.com
jamiemurray
 
Posts: 179
Joined: Fri Jan 11, 2013 4:12 pm
Location: Tenerife, Canary Islands

Re: Security notice: Open recordings web directory

Postby mflorell » Tue Nov 01, 2022 7:07 am

We actually added the System Setting for "Log Recording Access" years ago with a PHP passthru for indirectly downloading recordings(recording_log_redirect.php). As for the default directory permissions, we'll have to look into the best way to add that on the dialers.
mflorell
Site Admin
 
Posts: 18383
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Security notice: Open recordings web directory

Postby jamiemurray » Tue Nov 01, 2022 7:14 am

I just posted a correction on mantis, I realized afterwards that the htaccess is deleting automatically.
It's now in the apache config for vicirecord

The benefit of this is that it doesn't affect any other user interface things, the existing links are fine, apache handles picking the request up and redirects it to the php script to authenticate the request before the file is returned. I have a few clients where they entirely work remotely (often from dynamic IPs) and locking the recordings folder down or further complicating the process by implementing apache authentication on the folder would just create a support headache for us, so having the permissions based on their user access with no visible changes to the interface or the process they access the recordings is a win-win for us. Functionality remains as is but security is improved.
Skype: live:support_71847 | Tel: (US) +1 646 647 8850 (CA) +1 613 900 6456 (MX) +52 55 9990 3550 (UK) +44 1324 285022 (ES) +34 922 937 384
Managed Hosting - No tech skills required | VoIP Termination & DID numbering | https://jmurraysolutions.com
jamiemurray
 
Posts: 179
Joined: Fri Jan 11, 2013 4:12 pm
Location: Tenerife, Canary Islands

Re: Security notice: Open recordings web directory

Postby jamiemurray » Tue Nov 01, 2022 7:24 am

I also just added the ability for QC users to access recordings.
Skype: live:support_71847 | Tel: (US) +1 646 647 8850 (CA) +1 613 900 6456 (MX) +52 55 9990 3550 (UK) +44 1324 285022 (ES) +34 922 937 384
Managed Hosting - No tech skills required | VoIP Termination & DID numbering | https://jmurraysolutions.com
jamiemurray
 
Posts: 179
Joined: Fri Jan 11, 2013 4:12 pm
Location: Tenerife, Canary Islands

Re: Security notice: Open recordings web directory

Postby njr » Tue Jan 16, 2024 1:37 pm

mflorell wrote:We actually added the System Setting for "Log Recording Access" years ago with a PHP passthru for indirectly downloading recordings(recording_log_redirect.php). As for the default directory permissions, we'll have to look into the best way to add that on the dialers.

Was any progress made on this? This is the most recent result I found searching the forum. Our install, done by the VICIdial team, has open-to-anyone recording directories. I would like to lock them down, but am unsure what that might break. Is it safe to make them inaccessible outside of the local network, or put them behind a password?

Thanks
Vicibox 11 from .iso installed/set up by Vicidial | Vicidial 2.14-900a Build: 231115-1636 | Asterisk 16.30.0-vici | 10-server cluster (1 primary DB, 1 primary web, 8 asterisk) in Colo DC | OpenSIPS on web as LB | 10x Dell R740XD
njr
 
Posts: 16
Joined: Fri Dec 08, 2023 1:41 pm

Re: Security notice: Open recordings web directory

Postby mflorell » Wed Jan 17, 2024 1:24 pm

We will usually just manually add password protection to the recordings web directory, but this can break some automated functions on the back-end, like any exporting of recordings that may be set up.
mflorell
Site Admin
 
Posts: 18383
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Security notice: Open recordings web directory

Postby Op3r » Wed Jan 17, 2024 1:56 pm

the best way to secure anything vicidial without breaking anything is :

iptables whitelist.

This have saved my ass every pci, vapt, security audit.
Get paid for US outbound Toll Free calls. PM me.
Op3r
 
Posts: 1432
Joined: Wed Jun 07, 2006 7:53 pm
Location: Manila


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 53 guests