Unauthenticated Call Recording File Access

PitzKey · September 10, 2021, 11:53am

Hello,

If you open in any browser: http://server.ip/monitor/2021/09/10/074513-OUT-NONE-100-8884449898-1631274313.1641.wav

You can access the file even if you are not authenticated.

Please fix.

Thanks

miguel · September 10, 2021, 11:03pm

What would be the security issue here?

How unauthorized user can get that path?

mo10 · September 11, 2021, 12:44pm

What PitzKey means:
ANYONE can access that file. But yes, its hard to guess the filename at least.

I actually use that “not needing to be authenticated” in one of my installations.
So if this is changed this needs to be optional again.

Even if you only take this part:
“074513-1631274313.1641”
It would need 10000+ centuries to bruteforce it.

PitzKey · September 11, 2021, 4:49pm

The point is, that if you want to share the recording URL with another team member, but you only want people who can login should be able to play the recording.

miguel · September 11, 2021, 5:22pm

You can give it access to the Sonata Recordings in case you want to limit the access to certain call recordings or give it access to the VitalPBX’s GUI.

Another option would be sending the recording file instead of the URL.

Maybe in the future, we implement something of what you are asking for. In the meantime, we can offer you the above workarounds.

RenatoSagcal · February 18, 2025, 9:03am

Do we have an updates for this?

I believe this is still considered as security issue.

RenatoSagcal · February 18, 2025, 3:11pm

Here is the scenario @miguel and @mo10 @PitzKey

Specific users have authentication and able to access confidential call like finance.

What if one of those authenticated users share the download link in public or maybe disclose it to gain something.

First how do I know who shared the recording link and second
I can’t trust anyone even authenticated users.

Hope you consider doing something or adding additional security before they can access it.

miguel · February 18, 2025, 3:23pm

You can prohibit the access to CDrs! That will avoid users accessing to call recordings.

RenatoSagcal · February 18, 2025, 3:35pm

@miguel Not sure what you are saying. Can you guide us on how to do this?

miguel · February 18, 2025, 3:48pm

Using the User Profiles/Roles to remove the permission to access the CDR module from the VitalPBX GUI!

RenatoSagcal · February 18, 2025, 3:51pm

I am referring to Sonata Recording not on the VitalPBX GUI!

PitzKey · February 18, 2025, 4:30pm

Regardless. If someone gets a hold of a URL that contains a recording and it doesn’t require to authenticate, it is a breach of security…