CVE-2006-2021

Name of the Vulnerable Software and Affected Versions Asterisk@Home versions prior to 2.8

Description The issue allows remote attackers to read arbitrary MP3, WAV, and GSM files via a full pathname in the recording parameter in the Asterisk Recording Interface (ARI) web interface. This can also be used to determine the existence of files.

Recommendations For versions prior to 2.8, update to version 2.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the recordings/misc/audio.php file to minimize the risk of exploitation. Avoid using the recording parameter with full pathnames in the affected API endpoint until the issue is resolved.