1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.

R.I.P. FreePBX 2.10 Latest Beta: Voicemail and Recordings asks for Auth Password

Discussion in 'Bug Reporting and Fixes' started by markieb, Feb 22, 2012.

  1. markieb Member

    Today I updated to FPBX 2.10.0rc1.3, and wish I hadn't!

    Ever since the update, when trying to access the Voicemail & Recordings I keep getting the Security Login & Password before I get the ext number login & password.
    This wasn't the case earlier today before the FPBX 2.10 update.

    I have tried every single suggestion and supposed solutions, most are out of date for previous versions, and absolutely nothing works.
    Cancelling the Auth login will get me further, but it's rather annoying to have it keep popping up every time I try to do anything in Voicemail & Recordings.

    I really have tried everything suggested in all the posts I could find.

    PIAF Installed Version = 2.0.6.2 under *HARDWARE*
    FreePBX Version = 2.10.0rc1.3
    Running Asterisk Version = 1.8.8.0
    Asterisk Source Version = 1.8.8.0

    Any suggestions to get rid of this problem would be much appreciated. :banghead:
  2. tbrummell Guru

  3. tm1000 Schmoozecom INC/FreePBX

    This is a PBX in a flash + freepbx combined issue. You have to turn off HTTP auth for the recordings directory AND make sure you change the admin password.

    its been around long before 2.10.x
  4. markieb Member

    Decided to to do a full wipe and install. 6 hours later I'm back to where I was before the upgrade and it all works perfectly.

    Thanks for the suggestions though, unfortunately couldn't get any of them to solve my problem.
  5. wardmundy Nerd Uno

    We strongly discourage any changes to the PIAF security model... if you care about your phone bill.
    Twilight Sparkle likes this.
  6. tbrummell Guru

    But Ward, if you don't remove the .htaccess for the /recordings directory, users cannot use the Voicemail & Recordings feature to check messages.
  7. wardmundy Nerd Uno

    I haven't used what you're using so I'm just trying to figure out what the problem is...

    We're talking about using a web browser to access this information. Correct?

    We imposed .htaccess controls on this directory, but any valid user with Apache credentials can access that folder. Does this not work?

    You are aware that you can save your Apache credentials as part of the login process so you don't have to do it over and over again?

    The issue from our vantage point is S-E-C-U-R-I-T-Y. You say it's the only way for users to check their messages. We say they may or may not be the only folks that can check the messages. My recollection is that this software has had "issues" in the past... but I could be wrong.
  8. tm1000 Schmoozecom INC/FreePBX

    Ward come on!

    Do I have to go through this forum and list the at least 5 threads about this same issue that have cropped up over the last 5 years! It's an http authentication issue combined with a Freepbx issue. It has nothing to do with 2.10

    I just want you to admit that for once. Please! :banghead:
  9. wardmundy Nerd Uno

    Not Trying to Be Dense...

    As I said, I haven't used the latest FreePBX 2.10 update so I thought perhaps something had changed. That's what markieb said!!

    Markieb stated:


    If this isn't a new issue with the latest FreePBX update, then the approach I outlined above works just fine. That's why I asked the questions above.

    To repeat the advice in detail...

    1. Create an htaccess username and password for authorized users of the ARI app: htpasswd /usr/local/apache/passwd/wwwpasswd <username>
    2. From the PIAF GUI, have the users log into the ARI app with their browser by clicking on the Voicemail & Recordings button.
    3. User enters the username and password chosen for Apache access to the ARI directory and SAVEs the username and password when prompted whether to do so by the browser.
    4. After that, logging in to ARI works just as it does with the default ARI password mechanism in FreePBX (as shown below). There will be no htaccess password prompt on future login attempts. This is STANDARD BROWSER BEHAVIOR.

    [IMG]


    PLEASE REPORT BACK WHETHER THIS SOLVED YOUR PROBLEM USING THE LATEST FREEPBX 2.10 UPDATES.
  10. gregc Guru

    Never use that to access but thought I'd check since I have that freepbx version. It does ask to authenticate. Hitting cancel allows me to go through though. It pops up again a couple more times in, but hitting cancel lets me continue in and download voicemails.

    -Greg
  11. wardmundy Nerd Uno

    What browser and version? Sounds more like a browser issue to me. You didn't accidentally tell it not to save your access password in the past? This would carry over from other web site locations on your PIAF server, e.g. FreePBX, reminders, MeetMe, etc.
  12. gregc Guru

    This is using Chrome on a different machine to make sure that wasn't happening. I just a complete clear browsing history from beginning of time (just to be sure) and re-tested with the same result.

    -Greg
  13. gregc Guru

    IE6 has the same result although I have to hit cancel 3-4 times each time it pops up.

    -Greg
  14. markieb Member

    Yip that's exactly what I was talking about.

    I cleared caches etc. tried 4 different machines and 4 different browsers too. Followed every single thread from the past few years about it and nothing sorted it.

    It's easy enough to just close the login prompt and carry on, but it gets annoying, and users constantly complaining about it gets a bit much too.
    As I said, did a whole clean downgrade and the problem dissapeared. :crazy:
  15. wardmundy Nerd Uno

    I guess some additional feedback from others would be helpful. I'm using PIAF2 with Asterisk 1.8 and FreePBX 2.9 and see no problems using Chrome 18.0 or Firefox 10 under Mac OS X 10.6 or 7 as well as Microsoft 7 Ultimate. With IE 8, the login box reappears on subsequent logins but the username and password already are filled in. So you just press Enter. That is typical Microsoft (crapola) behavior for web-protected site access.

    What was the answer to whether you initially saved your login credentials when prompted by the browser to do so??

    And what operating system is in use for the desktop machine(s)??
  16. wardmundy Nerd Uno

  17. Giovanni New Member

    Hi Ward

    I have tried your snippet

    while visiting the http://192.168.64.200/recordings/ page I still get a login pop up with the title "Restricted Admin Area" which as far as I understand is due to this in pbx.conf

    Code:
    #Password proctect /var/www/html/admin
    <Directory /var/www/html/admin>
    AuthType Basic
    AuthName "Restricted Admin Area"
    AuthUserFile /usr/local/apache/passwd/wwwpasswd
    Require user wwwadmin maint
    </Directory>
    
    Obviously we only want "maint" and "wwwadmin" to be able to access the admin page, the problem lies in that the THEME for the /recordings/index.php page is referring to the full path of the .css stylesheet which resides within /var/www/html/admin (password protected to other users)

    So even if user logged in as "phone" aka the dummy account I made above, the pop up persists....
  18. Hyksos Guru

Share This Page