CVE-2020-37104 Overview
CVE-2020-37104 is an information disclosure vulnerability affecting ASTPP 4.0.1, an open-source VoIP billing solution. The vulnerability allows unauthenticated attackers to download database backup files by predicting backup filename patterns. By generating a list of 6-digit PIN combinations and fuzzing the backup download URL, attackers can exfiltrate sensitive database information from the /database_backup/ directory without any authentication.
Critical Impact
Unauthenticated attackers can access and download database backups containing sensitive billing data, customer information, call records, and potentially credentials stored in the ASTPP VoIP billing system.
Affected Products
- ASTPP 4.0.1
- ASTPP VoIP Billing Platform (versions with exposed backup directories)
Discovery Timeline
- 2026-02-11 - CVE-2020-37104 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2020-37104
Vulnerability Analysis
This vulnerability is classified under CWE-538 (Insertion of Sensitive Information into Externally-Accessible File or Directory). The core issue stems from ASTPP's improper handling of database backup files, which are stored in a predictable location (/database_backup/) and use a predictable naming convention based on 6-digit PIN codes.
The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for internet-facing ASTPP installations. An attacker can enumerate possible backup filenames through brute-force techniques, testing all 6-digit combinations until a valid backup file is found.
Root Cause
The root cause of this vulnerability is twofold:
Predictable Filename Generation: Database backup files are named using a predictable 6-digit PIN pattern, making them susceptible to enumeration attacks.
Missing Access Controls: The /database_backup/ directory lacks proper authentication mechanisms, allowing any unauthenticated user to request files directly if they know or can guess the filename.
This represents a fundamental design flaw where sensitive database exports are stored in a web-accessible location without adequate protection mechanisms.
Attack Vector
The attack is conducted over the network with low complexity. An attacker performs the following steps:
- Identifies an ASTPP installation (version 4.0.1 or similar)
- Generates a wordlist of all possible 6-digit PIN combinations (000000-999999)
- Fuzzes the /database_backup/ endpoint by appending each PIN value to the expected filename format
- Downloads any successfully matched backup files
- Extracts sensitive information including database credentials, customer records, billing data, and call detail records
The attack requires no special privileges and can be fully automated, allowing rapid exploitation of vulnerable systems. For technical exploitation details, refer to the Exploit-DB #47900 entry.
Detection Methods for CVE-2020-37104
Indicators of Compromise
- Unusual HTTP requests targeting the /database_backup/ directory path
- High volume of 404 errors from a single source IP attempting to access the backup directory
- Successful downloads of .sql or database backup files from unauthorized sources
- Sequential or patterned requests indicating automated fuzzing attempts
Detection Strategies
- Monitor web server access logs for requests containing /database_backup/ from external IP addresses
- Implement rate limiting on requests to sensitive directories to detect brute-force attempts
- Configure web application firewalls (WAF) to alert on enumeration patterns targeting backup directories
- Review authentication logs for access attempts to backup functionality
Monitoring Recommendations
- Enable verbose logging for all requests to the /database_backup/ directory
- Set up alerts for any successful file downloads from backup directories by unauthenticated users
- Monitor outbound data transfers for unusually large file exports that may indicate data exfiltration
- Implement anomaly detection for sequential request patterns targeting predictable filename formats
How to Mitigate CVE-2020-37104
Immediate Actions Required
- Restrict access to the /database_backup/ directory using web server configurations (.htaccess or nginx location blocks)
- Move database backups outside of the web-accessible document root
- Implement strong authentication requirements for any backup download functionality
- Review access logs for evidence of prior exploitation attempts
Patch Information
Consult the GitHub ASTPP Repository and ASTPP Billing Website for the latest security updates and patches. Review the VulnCheck ASTPP Advisory for additional remediation guidance.
Organizations should upgrade to the latest version of ASTPP that addresses this information disclosure issue, and verify that backup directories are properly secured after any updates.
Workarounds
- Block public access to /database_backup/ directory via web server configuration
- Relocate backup storage to a non-web-accessible location on the server
- Implement IP-based access restrictions limiting backup access to authorized management IPs only
- Use randomized, cryptographically secure backup filenames instead of predictable PIN-based patterns
# Apache .htaccess configuration to restrict backup directory access
# Place this file in the /database_backup/ directory
# Deny all access by default
Order Deny,Allow
Deny from all
# Optionally allow specific management IPs
# Allow from 192.168.1.100
# Allow from 10.0.0.0/8
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
