Open source XML Directory on Cisco SPA phones

Just like to share that I have finally found a good and working XML Directory system that works with the Cisco SPA phones.

I had to make a couple of changes. Also the database needs creating with mysql/mysqladmin. The installer doesn’t create the database.

Just because random patchwork is terrible and this is GPL can I suggest you put your fixed version on github and link to the “working version” Then if others want to contribute or fix things they can do pull requests.

I could certainly have a go when I get some time.
The UI is nice, I like this system.

Next step will be to hook it up as a caller ID lookup source.

It’s been a lookup option in CID Superfecta for a very long time:

Oh super! Thanks!

1 Like

I’m using cisco SPA phones. is there a walkthrough on how to get this working ?

I can write some quick notes for you later today.

OK quick walk through:

Download Open79XX XML Directory from here:

extract to /var/www/html/xmldir

chown -R asterisk.asterisk /var/www/html/xmldir

Change all the CiscoIPPhoneGraphicMenu tags to just CiscoIPPhoneMenu, so that the menus work on the non-colour SPA phones that can’t display graphics:

cd /var/www/html/xmldir/PhoneUI/templates
sed -i ‘s/CiscoIPPhoneGraphicMenu/CiscoIPPhoneMenu/g’ *

edit the main menu to remove the ‘Memos’ (unless you want that), and to make the Search option accessible from the first screen. Also get rid of the user registrations list stuff:

> vim img_menu.php
change the parts that start at 1.Main to look like this:

     <Name>Search for Contacts</Name>

(This will give you simply ‘Main’ and ‘Search for Contacts’ on the phone, so that you don’t have to go through two other submenus to to do a global search).

save that file

cd /var/www/html/xmldir/PhoneUI/lib
vim urlbase.php

change the line near the top to:

$url_end = 'xmldir/PhoneUI/';^M

save that file (esc, : , wq , enter)

> mysql -u root -p

not sure what the distro root mysql password is. You can try mysql without the -u and -p

create database xmldir;

browse to > http://<ip-of-pbx>/xmldir/install.php
choose localhost and your database credentials and the database name you just created - xmldir

then on the SPA phones in the phones config file:

<XML_Directory_Service_Name group="Phone/XML_Service">Central Directory</XML_Directory_Service_Name>
<XML_Directory_Service_URL group="Phone/XML_Service">http://ip-address-of-pbx/xmldir/PhoneUI/index.php</XML_Directory_Service_URL>

That looks simple enough - thanks !
I’ll have a try over the weekend :slight_smile:

Anyone using this should be aware of the security implications and risks. Just in a quick review this is mysql injectable without login.

That doesn’t sound great! I’m not a coder but there was some php code in there which removed unwanted SQL strings e.g. ‘insert’ ‘update’ from post/get URLs or something. Have you seen that?
Anyway it has its own database and if its set up with its own database user rather than root, and is kept internal to the LAN, this should mitigate until somebody picks up the now dormant project.


  Joe Hopkins <[email protected]>
  Copyright (c) 2005, McFadden Associates.  All rights reserved.

function defang_input ($input)
// Remove harmful SQL words and characters from inputs.
$chkExp = “(; )|(select)|(insert)|(update)|(delete)|(drop)|(’)”;
$output = trim(eregi_replace($chkExp, “”, $input));

$output = trim(eregi_replace("&", “&”, $output));
$output = trim(eregi_replace("&", “&”, $output));
return $output;

I haven’t done a full review, frankly I don’t have the time. I just did a quick scan. I saw the above function and this does not prevent injection. Even in with an independent database there can be an insertion that is called somewhere else ($_SESSION) that can be used to own the webserver and possibly escalate to root.

As you say then, use at your own risk :slight_smile:

Or run it off a different / dedicated box / vm. Doesn’t need to talk to asterisk.

I realize this is an old thread, but does anyone know if the Open79xx XML Directory still works with the latest version of FreePBX here in 2022? Specifically, FreePBX 16, Asterisk 16.17.0, PHP V7, and MariaDB Server V5.5.65. I had this working on a Trixbox many ago, and on an older PIAF system before I switched over to the main FreePBX distro.

I see there’s an updated version on GitHub that supports PHP 7, but no installation instructions:

I am trying to set this up in a test environment for now, I have the webserver copied over (using the updated project from GitHub), but my problem is with creating and setting up the openxmldir database with MariaDB.

I created a user to remotely log in to the server, and created a blank ‘openxmldir’ database for the setup,

create database openxmldir;

but the install.php website does not populate any of the tables or set the database up.

I also tried running the SQL script remotely via DBeaver on Windows, but I received a few SQL statement syntax errors, but also I do not think that is the correct way to set the database up.

After pressing the Services button on the phone, the phone screen is displaying the “This phone must be authorized” message; so it is seeing the openxmldir website, but without the database I can’t log in and authorize the phone(s).

Is there anything else to try?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.