cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3907
Views
35
Helpful
11
Replies

UCCX 8.5 - static username for authenticate user step

gerheauserm
Level 1
Level 1

Is there a way to statically have the username for the authenticate user step entered in a script?  Customer only wants to have his users enter a single PIN (same PIN for all users).  I have the script currently prompting the users for only a static PIN set in the script as a variable, but now they want to record and upload prompts, and from what I can tell, that session needs to authenticate to UCCX before the flow can proceed to the actual record/upload of the prompt.

11 Replies 11

Gergely Szabo
VIP Alumni
VIP Alumni

Hi,

yes, you can use the Get User step with a predefined (dummy) username - just use a static String. Is this what you mean?

G.

yes, but does that account name have to authenticate with UCCX, and if CUCM has LDAP setup, then I would need to have them add that account to A/D?

Hi,

yes, I am afraid it cannot bypass authentication - and if you have CUCM integrated with AD, then yes, you most likely need to create a user for this.

G.

Thanks for you replies.  One more for ya, the authentication step is required for any type of upload, whether it be a prompt recorded by the customer from within the script, or a document used to store a variable long term?

Hi,

well, yes, actually, a Prompt is just a subset of a Document. The same rules apply.

G.

On second thought, if it's not absolutely necessary to store the recordings on the UCCX server, you can consider saving/retrieveing them from a Windows share or a database table. You could use a simple Get Digits step to collect the "PIN" and if it passes local "authentication" (for instance, with a simple If (digits="1234") step), then you can let the caller to record a message and then save it. No Get User, not Authenticate User and all that stuff.

Does this sound like a solution to you?

G.

Anthony Holloway
Cisco Employee
Cisco Employee

Public Service Announcement

UPDATE: Cisco has addressed this vulnerability and it's fixed in UCCX 10x.  Read and track the defect: CSCuf77546

Do not hard code your UCCX administrative credentials in a script, even if it's uploaded to the repository.

Any person with a copy of UCCX Script Editor and the IP Address of your UCCX can access all of your scripts within the repository.  They do not need an account, and would simply log in anonymously.  If it were me, I would immediately look for a script named something like "prompt" or "recording" or "upload" and then look inside to see if the username and password are in there.  Once I find it, I would just log into your UCCX server.  That's about all I can think of if you are on 8x or higher.

However, if you are on 7x or lower, once I log into your server, I would download the AppAdmin logs (available right through AppAdmin) and pull the AXL SOAP messages going to your CUCM.  From those messages I would pull the Base64 encoded username and password.  If I'm lucky, you were lazy and just used a Super User account, and now I log into your CUCM server.  If I'm not lucky, and you created an AXL only account, well then I just use AXL to create a new acocunt on your server, give it Super User rights, and then log in from there.  At this point, I have complete control over your phone system.

Please test this for yourself.  Grab a vanilla Windows machine, install the Editor on it (I would typically have VM's running on my laptop with the major versions of UCCX) then simply type in the IP address of your UCCX and click logon anonymously.  Then File > Open, and try to open a script from the repository.

There are two three four main ways to secure your scripts from this type of access:

1) Don't hard code passwords, instead ask the user to enter a PIN and auth on PIN

2) Embed the credentials within a document in the repository.  When your script executes, it should read the credentials out of the document within the repo.  Because the document repo cannot be accessed unless you authenticate, it's a secure method of hard coding your credentials.

3) Use a variable marked as parameter for your password (and potentially the username) but leave them blank and rely on the AppAdmin page to set the credentials.

4) Use the Protect feature of the Editor to mask the password.  See this document for more information: https://supportforums.cisco.com/docs/DOC-35433

You might be asking yourself how the attacker would know your UCCX IP address...well, since I'm on your network, and have to be in order to access UCCX, I would simply look at an IP Phone's network settings, and 99% of the time the UCCX IP is in the same subnet, if not a digit or two away, as the CUCM Pub/Sub's.  I just type the addresses into my browser and wait for the UCCX to respond.

This has been a public service announcement. 

Anthony Holloway

Please use the star ratings to help drive great content to the top of searches.

EDIT: Added a third step to secure the credentials.  My friend Chase M. reminded of this great option.  Thank you Chase.

Good point.  So the next question is, if not through the upload command in the script, how would I get a document containing the userID credentials into the repository?  Via the UCCX admin web GUI?  If so, what is the format of the document?

Thanks in advance

Rookie Scriptor!

Correct, through the AppAdmin web interface.

The format can be anything you are comfortable with.

One option would be to store it in an XML document, and use the built in script steps to read the contents of the XML document.

XML Document

Filename: repository_account.xml

Location: Default language folder in repository

Contents:

  uccxadmin

  S3cureP@ssw0rd!

Script

Variables

Document xml_repository_account = doc[repository_account.xml]

User repository_user = null

String repository_pass = ""

String xpath_result = ""

Code Snippet

Start

...some beginning script stuff goes here, like accepting the call, etc...

/* Get Repository Account */

xml_repository_account = Create XML Document (xml_repository_account)

xpath_result = Get XML Document Data (xml_repository_account, "//username")

If (xpath_result != null)

  True

    Set repository_user = user[xpath_result]

    xpath_result = Get XML Document Data (xml_repository_account, "//password")

    If (xpath_result != null)

      True

        Set repository_pass = xpath_result

        Authenticate User Password (repository_user, repository_pass)

          Success

            /* We have an authenticated repository user to use with upload steps and such */

          Unsuccessful

            /* Something went wrong and we're sad about it =( */

      False

        /* Something went wrong and we're sad about it =( */

  False

    /* Something went wrong and we're sad about it =( */

...some other script stuff goes here, like prompt recording and uploading, etc...

End

The formatting feature is not working so well in my IE browser, so I apologize if the formatting appears messed up at first, and I will try to fix it as quickly as I can.

Anthony Holloway

Please use the star ratings to help drive great content to the top of searches.

Hi Anthony

Thank you once again for this valuable script steps.

Regards

shameer

Great work Anthony... +5 to both the posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: