Data Security

Discussion in '3CX Phone System - General' started by shanus6, Sep 29, 2015.

Thread Status:
Not open for further replies.
  1. shanus6

    Joined:
    Apr 16, 2015
    Messages:
    17
    Likes Received:
    0
    Hi Guys,

    Just a question in regards to data security.

    If i go to a web browser and type in either

    [my FQDN]:5000/provisioning/[folder name]/yealink_phonebook.xml
    or
    [my static IP]:5000//provisioning/[folder name]/yealink_phonebook.xml

    the entire contents of my company phonebook are listed. This means anyone with a web browser can access this information, along with all of my phone provisioning files etc.

    I tried this from my mobile phone browser and the results were the same. Just to rule out any chance of it being somehow connected via LAN

    How do i secure this information? These files in the same folder contain user id's and extension passwords in PLAIN TEXT!

    I thought i had very strict firewall rules in place, in windows firewall i have massive geographical blocks of IP addresses blocked (after i had a bunch of login attempts) that stopped them. As well as in 3CX i have an extensive list of blocked IP's and whitelisted IP's.

    Am i being paranoid or are the chances of someone figuring out the unique provisioning folder file name and guessing the rest of the file string real?

    My setup is 3CX running on a Win7 machine behind a router with a firewall. Windows Firewall turned On.

    Any tips/suggeestions?
     
  2. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    645
    Likes Received:
    1
    Hi there,
    The provsubdir string is a random for each installation and consists of an alphanumerical string of 10 chars, I let you do the math on this but basically that's zillions of possible paths. Furthermore, an attacker trying to guess this with bruteforce will get blacklisted automatically thanks to the antihacking features so you can forget this.
    Anyway, through your router/firewall you should filter which IPs can reach your web and sip ports so that you allow only trusted sources to access the phone system...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Patch1

    Joined:
    Jun 29, 2013
    Messages:
    12
    Likes Received:
    0
    It is fixed for each installation so anyone who knows it will have permanent access to that data until 3CX is reinstalled. The easiest way to find the porvisioning folder is to open a welcome email config file with a text editor (anyone who has ever been sent a welcome email). Alternatively watching where a phone registered to your PABX looks for its provisioning (blocking 5001 & 443 makes it easier) (eg using a 3CX on someone elses wifi or any one who get access to a provisioned phone).

    So not wonderful from a security perspective. White listing the portion of the internet you trust could limit your exposure, but it is not easy to acheive real access restriction if mobile devices are supported.
     
Thread Status:
Not open for further replies.