Synopsis :

The remote web server contains a PHP application that is affected by
an information disclosure issue.

Description :

The remote host is running Asterisk Recording Interface (ARI), a
web-based portal for the Asterisk PBX software.

The version of ARI installed on the remote host reportedly allows an
unauthenticated attacker to retrieve arbitrary sound files, such as
voicemail messages, and to determine the existence of other files on
the remote host by passing a specially crafted path to the 'recording'
parameter of the 'misc/audio.php' script.

See also :

http://www.securityfocus.com/archive/1/431655/30/0/threaded

Solution :

Upgrade to ARI 0.10 / Asterisk@Home 2.8 or later.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true