Summary:ASTERISK-05735: [patch] Able to access other voicemail boxe if entering VoicemailMain() with no context
Reporter:sivana (sivana)Labels:
Date Opened:2005-11-29 11:19:37.000-0600Date Closed:2011-06-07 14:02:50
Versions:Frequency of
Environment:Attachments:( 0) 20051129__fix_vm_docs.diff.txt
Description:If you have other contexts and you enter VoicemailMain() with no context, it will search the first available matching mailbox -- in any context.

VoicemailMain should default to within the @default context only.
Comments:By: Tilghman Lesher (tilghman) 2005-11-29 12:00:58.000-0600

This is not a MAJOR bug, nor is a bug at all.  It's an intentional design feature.

By: Clod Patry (junky) 2005-11-29 12:04:30.000-0600

I disagree, since we have this description:
 VoiceMailMain([mailbox][@context][|options]): This application allows the
calling party to check voicemail messages. A specific mailbox, and optional
corresponding context, may be specified. If a mailbox is not provided, the
calling party will be prompted to enter one. If a context is not specified,
the 'default' context will be used.

so if called like: VoiceMailMain(), the search has to be only in default context no?

By: Tilghman Lesher (tilghman) 2005-11-29 12:45:25.000-0600

Documentation fix uploaded.

By: Clod Patry (junky) 2005-11-29 12:46:43.000-0600

I provided him a patch to restrict to the default context if none specified, we'll have to choose, which way we really want here.

By: sivana (sivana) 2005-11-29 13:24:26.000-0600

IMO, this creates a security issue if no context is specified.

By: Tilghman Lesher (tilghman) 2005-11-29 14:33:05.000-0600

I don't understand how that creates a security problem.  Could you explain it to me?

By: sivana (sivana) 2005-11-29 14:38:22.000-0600

I came across this, which I think is a bug, by a user saying that the mailbox he was checking wasn't his.  By not expliclity supplying the context, one user could listen to someone else's voicemail.

By: sivana (sivana) 2005-11-29 14:40:40.000-0600

Maybe more a privacy issue than a security issue.

By: sivana (sivana) 2005-11-29 14:42:19.000-0600

Search "all" by default is no feature.

There should be an optional parameter that specifies "all" and leave the empty context default to "default".

By: Tilghman Lesher (tilghman) 2005-11-29 15:10:49.000-0600

That can only occur if both mailboxes have the same password or if you're using the 's' option.  Of course, if you're using the 's' option, you already knew there was a security risk, as you're skipping security!

By: sivana (sivana) 2005-11-29 15:14:23.000-0600

In a larger organization such as ours, we default mailbox passwords.  Some users leave the passwords as is.  Thus, leading us to find this BUG.

By: Tilghman Lesher (tilghman) 2005-11-29 15:48:04.000-0600

Again, it's a security issue because of the way that you've chosen to do passwords and is therefore a security issue with your site policies.  It is not a bug.

By: sivana (sivana) 2005-11-29 16:02:23.000-0600

This is bad design.  But anyways, what do I know, I'm just an end-user.

Workaround:  Make sure you have @default listed in the VoicemailMain()


As Corydon76 says, tell all your users not to use the same password.

By: Andrew Kohlsmith (akohlsmith) 2005-11-29 17:21:22.000-0600

I'm sorry, but this is bullshit.

Instead of fixing the problem, you wimp out and "correct" the documentation, which makes Asterisk HARDER to understand and use.

Having Asterisk pick up the first random context it can is a horrible, horrible way to run things.  Consistency should be what you're out to get, and these random little "oh it just picks what it can find in an pseudorandom, semidocumented and impossible to repeat across any given set of systems" are not helping in any way shape or form.

Honestly, the correct fix would be to have it default to "default" if no context is given.  If someone doesn't want a 'default' context (which is admirable) then they should be EXPLICITLY specifying the context to search, not relying on this.

Can you give me *any* situation where what you did makes things better??!

By: Tilghman Lesher (tilghman) 2005-11-29 17:36:43.000-0600

Sure, if each context specifies a different department, possibly mounted on different disks, then being able to search across all contexts is a feature.

By: sivana (sivana) 2005-11-29 17:41:41.000-0600

Even with your logic, if two mailboxes just happen to have the same password, then one department can read the other's voice mail. THIS IS NOT RIGHT.

Add a "search" or "all" flag, but don't make the search by default when the rest of Asterisk is based on the default being associated with [default] contexts.

By: Andrew Kohlsmith (akohlsmith) 2005-11-29 17:44:58.000-0600

That seems like a VERY contrived example, but as you pointed out in IRC, the code is SPECIFICALLY doing this.  Perhaps in the voicemail rewrite we can address this, as it's an egregious violation of "path of least surprise" and consistency across asterisk installations.  In the meantime can the patch please correct the documentation such that it explains HOW the first match is identified?  Is it the first context with a matching box # found in a top-down search of voicemail.conf or ?  The patch just raises the next question, "Ok, how is the first match found?"

By: Andrew Kohlsmith (akohlsmith) 2005-11-29 17:46:27.000-0600

More than that, Sivana, it greatly increases the chances of the message being left in the WRONG voicemail box.  I think that's a bigger problem than the issue of a possibility of same passwords.

By: Tilghman Lesher (tilghman) 2005-11-29 17:48:29.000-0600

sivana:  then don't give everybody the same default password.

By: sivana (sivana) 2005-11-29 17:50:29.000-0600

Are you for real?!  Seriously.

By: Andrew Kohlsmith (akohlsmith) 2005-11-29 17:53:43.000-0600

Corydon, this is VERY standard for any mid-large size PBX.  A new user is given a default password of 0000 or 1000 or something, and forced to change it on first VM access.  Every PBX and KSU I know of does this.  

VoiceMailMain just needs the same kind of functionality.  Perhaps our good Sivana will apply that kind of patch to better the app.

By: sivana (sivana) 2005-11-29 18:08:35.000-0600

What's going to happen if two users by chance choose the same password?

By: Tilghman Lesher (tilghman) 2005-11-29 18:10:41.000-0600

Given that you don't want this behavior, you're going to specify @context in the call to VoicemailMain, and you won't get this behavior.

By: sivana (sivana) 2005-11-29 18:20:27.000-0600

Corydon, I'm talking about in your scenario.  What happens if two users in different departments by chance pick the same password?

By: Tilghman Lesher (tilghman) 2005-11-29 18:31:44.000-0600

Since all mailbox numbers are unique, there's no conflict.

By: twisted (twisted) 2005-11-29 21:35:59.000-0600

Fixed in SVN trunk, Thanks!

Corydon76: If you would like a search flag, please submit as a separate bug/feature request.

By: twisted (twisted) 2005-11-29 21:36:32.000-0600

drumkilla: I did not use the patch on this bug, but if you need it, i'll be glad to provide.

By: Digium Subversion (svnbot) 2008-01-15 16:02:25.000-0600

Repository: asterisk
Revision: 7225

U   trunk/ChangeLog
U   trunk/UPGRADE.txt
U   trunk/apps/app_voicemail.c

r7225 | twisted | 2008-01-15 16:02:25 -0600 (Tue, 15 Jan 2008) | 2 lines

issue ASTERISK-5735