Unauthenticated Call Recording File Access


If you open in any browser: http://server.ip/monitor/2021/09/10/074513-OUT-NONE-100-8884449898-1631274313.1641.wav

You can access the file even if you are not authenticated.

Please fix.


What would be the security issue here?

How unauthorized user can get that path?

What PitzKey means:
ANYONE can access that file. But yes, its hard to guess the filename at least.

I actually use that “not needing to be authenticated” in one of my installations.
So if this is changed this needs to be optional again.

Even if you only take this part:
It would need 10000+ centuries to bruteforce it.

1 Like

The point is, that if you want to share the recording URL with another team member, but you only want people who can login should be able to play the recording.

You can give it access to the Sonata Recordings in case you want to limit the access to certain call recordings or give it access to the VitalPBX’s GUI.

Another option would be sending the recording file instead of the URL.

Maybe in the future, we implement something of what you are asking for. In the meantime, we can offer you the above workarounds.