[原文]Asterisk Recording Interface (ARI) in Asterisk@Home before 2.8 stores recordings/includes/main.conf under the web document root with insufficient access control, which allows remote attackers to obtain password information.
Asterisk Recording Interface contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker requests the configuration file '/recordings/includes/main.conf' directly, as there are no controls to prevent such access. This will disclose the application's configuration information, including administrative and database passwords, resulting in a loss of confidentiality.
Upgrade to version 0.10.00 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.