Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4350
Views
35
Helpful
11
Replies

UCCX 8.5 - static username for authenticate user step

gerheauserm
Level 1
Level 1

‎02-14-2013 08:02 AM - edited ‎03-14-2019 11:15 AM

Is there a way to statically have the username for the authenticate user step entered in a script?  Customer only wants to have his users enter a single PIN (same PIN for all users).  I have the script currently prompting the users for only a static PIN set in the script as a variable, but now they want to record and upload prompts, and from what I can tell, that session needs to authenticate to UCCX before the flow can proceed to the actual record/upload of the prompt.

Labels:
0 Helpful
11 Replies 11

Gergely Szabo
VIP Alumni
VIP Alumni

‎02-14-2013 08:34 AM

Hi,

yes, you can use the Get User step with a predefined (dummy) username - just use a static String. Is this what you mean?

G.

0 Helpful

gerheauserm
Level 1
Level 1
In response to Gergely Szabo

‎02-14-2013 08:36 AM

yes, but does that account name have to authenticate with UCCX, and if CUCM has LDAP setup, then I would need to have them add that account to A/D?

0 Helpful

Gergely Szabo
VIP Alumni
VIP Alumni
In response to gerheauserm

‎02-14-2013 08:39 AM

Hi,

yes, I am afraid it cannot bypass authentication - and if you have CUCM integrated with AD, then yes, you most likely need to create a user for this.

G.

gerheauserm
Level 1
Level 1
In response to Gergely Szabo

‎02-14-2013 08:42 AM

Thanks for you replies.  One more for ya, the authentication step is required for any type of upload, whether it be a prompt recorded by the customer from within the script, or a document used to store a variable long term?

0 Helpful

Gergely Szabo
VIP Alumni
VIP Alumni
In response to gerheauserm

‎02-14-2013 08:45 AM

Hi,

well, yes, actually, a Prompt is just a subset of a Document. The same rules apply.

G.

0 Helpful

Gergely Szabo
VIP Alumni
VIP Alumni
In response to Gergely Szabo

‎02-14-2013 08:43 AM

On second thought, if it's not absolutely necessary to store the recordings on the UCCX server, you can consider saving/retrieveing them from a Windows share or a database table. You could use a simple Get Digits step to collect the "PIN" and if it passes local "authentication" (for instance, with a simple If (digits="1234") step), then you can let the caller to record a message and then save it. No Get User, not Authenticate User and all that stuff.

Does this sound like a solution to you?

G.

0 Helpful

Anthony Holloway
Cisco Employee
Cisco Employee

‎02-14-2013 09:02 AM

Public Service Announcement

UPDATE: Cisco has addressed this vulnerability and it's fixed in UCCX 10x.  Read and track the defect: CSCuf77546

Do not hard code your UCCX administrative credentials in a script, even if it's uploaded to the repository.

Any person with a copy of UCCX Script Editor and the IP Address of your UCCX can access all of your scripts within the repository.  They do not need an account, and would simply log in anonymously.  If it were me, I would immediately look for a script named something like "prompt" or "recording" or "upload" and then look inside to see if the username and password are in there.  Once I find it, I would just log into your UCCX server.  That's about all I can think of if you are on 8x or higher.

However, if you are on 7x or lower, once I log into your server, I would download the AppAdmin logs (available right through AppAdmin) and pull the AXL SOAP messages going to your CUCM.  From those messages I would pull the Base64 encoded username and password.  If I'm lucky, you were lazy and just used a Super User account, and now I log into your CUCM server.  If I'm not lucky, and you created an AXL only account, well then I just use AXL to create a new acocunt on your server, give it Super User rights, and then log in from there.  At this point, I have complete control over your phone system.

Please test this for yourself.  Grab a vanilla Windows machine, install the Editor on it (I would typically have VM's running on my laptop with the major versions of UCCX) then simply type in the IP address of your UCCX and click logon anonymously.  Then File > Open, and try to open a script from the repository.

There are two three four main ways to secure your scripts from this type of access:

1) Don't hard code passwords, instead ask the user to enter a PIN and auth on PIN

2) Embed the credentials within a document in the repository.  When your script executes, it should read the credentials out of the document within the repo.  Because the document repo cannot be accessed unless you authenticate, it's a secure method of hard coding your credentials.

3) Use a variable marked as parameter for your password (and potentially the username) but leave them blank and rely on the AppAdmin page to set the credentials.

4) Use the Protect feature of the Editor to mask the password.  See this document for more information: https://supportforums.cisco.com/docs/DOC-35433

You might be asking yourself how the attacker would know your UCCX IP address...well, since I'm on your network, and have to be in order to access UCCX, I would simply look at an IP Phone's network settings, and 99% of the time the UCCX IP is in the same subnet, if not a digit or two away, as the CUCM Pub/Sub's.  I just type the addresses into my browser and wait for the UCCX to respond.

This has been a public service announcement. 

Anthony Holloway

Please use the star ratings to help drive great content to the top of searches.

EDIT: Added a third step to secure the credentials.  My friend Chase M. reminded of this great option.  Thank you Chase.

gerheauserm
Level 1
Level 1
In response to Anthony Holloway

‎02-14-2013 11:38 AM

Good point.  So the next question is, if not through the upload command in the script, how would I get a document containing the userID credentials into the repository?  Via the UCCX admin web GUI?  If so, what is the format of the document?

Thanks in advance

Rookie Scriptor!

0 Helpful

Anthony Holloway
Cisco Employee
Cisco Employee
In response to gerheauserm

‎02-14-2013 12:40 PM

Correct, through the AppAdmin web interface.

The format can be anything you are comfortable with.

One option would be to store it in an XML document, and use the built in script steps to read the contents of the XML document.

XML Document

Filename: repository_account.xml

Location: Default language folder in repository

Contents:

  uccxadmin
  S3cureP@ssw0rd!

Script

Variables

Document xml_repository_account = doc[repository_account.xml]
User repository_user = null
String repository_pass = ""
String xpath_result = ""

Code Snippet

Start
...some beginning script stuff goes here, like accepting the call, etc...
/* Get Repository Account */
xml_repository_account = Create XML Document (xml_repository_account)
xpath_result = Get XML Document Data (xml_repository_account, "//username")
If (xpath_result != null)
  True
    Set repository_user = user[xpath_result]
    xpath_result = Get XML Document Data (xml_repository_account, "//password")
    If (xpath_result != null)
      True
        Set repository_pass = xpath_result
        Authenticate User Password (repository_user, repository_pass)
          Success
            /* We have an authenticated repository user to use with upload steps and such */
          Unsuccessful
            /* Something went wrong and we're sad about it =( */
      False
        /* Something went wrong and we're sad about it =( */
  False
    /* Something went wrong and we're sad about it =( */
...some other script stuff goes here, like prompt recording and uploading, etc...
End

The formatting feature is not working so well in my IE browser, so I apologize if the formatting appears messed up at first, and I will try to fix it as quickly as I can.

Anthony Holloway

Please use the star ratings to help drive great content to the top of searches.

Mohamed Shameer Fareed
Level 3
Level 3
In response to Anthony Holloway

‎02-16-2013 04:35 AM

Hi Anthony

Thank you once again for this valuable script steps.

Regards

shameer

0 Helpful

nirmalissac
Level 1
Level 1
In response to Anthony Holloway

‎08-08-2013 12:18 PM

Great work Anthony... +5 to both the posts

0 Helpful
Customers Also Viewed These Support Documents