vicidial.org

[knotbeerdan]

Over the weekend one of my co workers found a bug in goautodial. I am unsure if it is because of the way we configured the system or if it is a bug.

He found out that we are able to dial through the softphone (counterpath eyebeam) without entering valid phone credentials and registering the softphone first.

Can anyone reproduce this issue?

[williamconley]

That's not a bug.

That's a feature.

It can be turned off in sip.conf (Kumba put out a security notice for Vicibox on this a couple months back).

Code: Select all

;allowguest=no                  ; Allow or reject guest calls (default is yes)

Oh! And THANKS for posting your specs! I love it when you guys do that.

[knotbeerdan]

Thanks for the response... This may be a dumb question but isnt this a security risk for anyone who is using vicidial in production?

And although I do have my specs I must change them since we are running goautodial in a Citrix virtual environment. (which works pretty well by the way, just cant install the Xenserver tools or run the dialers in PVM mode )

[williamconley]

OK, now you have my attention. My recollection of Citrix was "remote access" not "virtual environment", so please enlighten me there a bit if you will.

And YES that's a security risk, which is why Kumba issued a Security Alert on the Vicibox Board to fix it.

In theory, the trunkinbound context should be where all sip calls land ... BUT "unauthenicated" (ie: guest) will use the default context instead: the default context in sip.conf is set to "default" instead of "trunkinbound".

Changing that could have an unknown effect on the rest of the system, so it is easier to require authentication for all inbound calls. If all sip.conf contexts require user/pass (with hard-to-crack user/pass!) or have specified host IPs ... then turning off guest will point all sip calls to the contexts specified in each sip peer's "context=" value. Since agents are in "default" but have user/pass, they are assumed safe. All carriers should be assigned "trunkinbound" so they are safe because "trunkinbound" will ONLY go to the agi for inbound calls in Vicidial (no way out).

[gardo]

Can you list down the steps to be able to dial out without authentication? We'll try to replicate it in a default GoAutoDial install.

Over the weekend one of my co workers found a bug in goautodial. I am unsure if it is because of the way we configured the system or if it is a bug.

He found out that we are able to dial through the softphone (counterpath eyebeam) without entering valid phone credentials and registering the softphone first.

Can anyone reproduce this issue?

[williamconley]

Dialout isn't the issue: the "guest" user in SIP allows inbound calls ... and if the default context is set to "default" ... then the guest account will execute dialplan in "default" which is where vicidial keeps its dialplan. Solution: turn off guest. Require authentication (ie: user/pass or valid IP address matching a "host" entry in a sip context).