Grandstream Phonebook.xml Doesn't Download Secure


#1

The phonebook.xml download only works when the password and authentication is disabled. Meaning it will only download when the download does not require username and password.

It is crazy that it can download the provisioning file as secure but it doesn’t download the phonebook.xml when the authentication is required.

I am not sure if it is related to the rewrite rule, but I don’t think it is, because otherwise I wouldn’t be able to download/access it from browser too.

For me it works on browser using authentication (by going to the link https://username:password@mydomain.com/app/provision/pb/000b82b9853f/phonebook.xml

I checked nginx access.log. It is like this:

IP.A.DD.RESS - username [12/Nov/2019:20:32:25 +0000] “GET /app/provision/pb/000b82b9853f/phonebook.xml HTTP/1.1” 401 23 “-” “Grandstream Model HW GXP2170 SW 1.0.11.2 DevId 000b82b9853f”

that 401 means unauthorized.

So the browser can access it secured but the phone can only can access it unsecured.

It is a puzzle, and I will so much appreciate a helping hand.

Note: In case you are wondering, the password and username are correct.

Product Model GXP2170
|Prog|1.0.11.2|
|Locale|1.0.11.1|
|Recovery|1.0.9.98|


#2

Are you using special characters in the username or password?


#3

Run syslog you will some extra data.


#4

After talking several days with the support of Grandstream, we have discovered that although the phone is able to download the configuration file with the Digest authentication type, the phonebook needs the Basic authentication type. The solution to download the phonebook is to change the type of authentication to Basic in fusionpbx. This way, the configuration and the phonebook are downloaded correctly.


#5

Almost a year passed and still Grandstream has not taken care of this security bug. The phone can download the phonebook.xml only in basic authentication mode and cannot download in digest authentication mode.