FreePBX
  1. FreePBX
  2. FREEPBX-5582

Security issue ARI admin credentials can be derived from unauthenticated user

    Details

    • Type: Bugs Bugs
    • Status: Closed (View Workflow)
    • Resolution: Fixed
    • Affects Version/s: 2.10
    • Fix Version/s: None
    • Component/s: ARI User Portal
    • Labels:
      None
    • Backend Engine:
      All
    • Confirmation:
      Confirmed

      Description

      fw_ari module 2.10.0rc1.2 published 3 days ago exposed a bug that allows the ARI admin credentials to be discovered with no authentication. Other more sensitive credentials were not exposed. Similar credentials can also be viewed with authenticated users in FreePBX admin for the similar root cause.

        Activity

        Hide
        Philippe Lindheimer added a comment -

        r13443 fixed in 2.10.0rc1.3

        Show
        Philippe Lindheimer added a comment - r13443 fixed in 2.10.0rc1.3
        Hide
        Tim Miller Dyck added a comment -

        This seems to be the only ticket attached to (http://www.freepbx.org/trac/changeset/13443) so placing this here.

        The change to prompt for Google Chrome Frame in IE also affects users using just the ARI end user-facing web application. IE is a common browser in corporate environments and users without local administrator credentials cannot install Chrome Frame.

        So, I wanted to check is the intention to require users only accessing ARI to use Firefox, Chrome, Safari or IE with Chrome Frame only (i.e. IE on its own is now more or less unsupported) or is this browser requirement really just for PBX administrators and ARI was included by default?

        If the later, then it would be appreciated to not have the Chrome Frame check for ARI.

        If the former, then shops using IE will need to explore centralized deployment of Chrome Frame or change the PHP locally to bypass the check and test ARI functionality to ensure it is working well enough.

        Just looking for a direction statement from mbrevda or other FreePBX developers.

        Thanks,
        Tim Miller Dyck

        Show
        Tim Miller Dyck added a comment - This seems to be the only ticket attached to ( http://www.freepbx.org/trac/changeset/13443 ) so placing this here. The change to prompt for Google Chrome Frame in IE also affects users using just the ARI end user-facing web application. IE is a common browser in corporate environments and users without local administrator credentials cannot install Chrome Frame. So, I wanted to check is the intention to require users only accessing ARI to use Firefox, Chrome, Safari or IE with Chrome Frame only (i.e. IE on its own is now more or less unsupported) or is this browser requirement really just for PBX administrators and ARI was included by default? If the later, then it would be appreciated to not have the Chrome Frame check for ARI. If the former, then shops using IE will need to explore centralized deployment of Chrome Frame or change the PHP locally to bypass the check and test ARI functionality to ensure it is working well enough. Just looking for a direction statement from mbrevda or other FreePBX developers. Thanks, Tim Miller Dyck
        Hide
        Philippe Lindheimer added a comment -

        Tim,

        please bring this up in the Forum it's not really relevant to have such a discussion in a ticket. Related to this ticket, that particular change didn't have anything to do with the security issue it just happened to be checked in at the same time.

        Show
        Philippe Lindheimer added a comment - Tim, please bring this up in the Forum it's not really relevant to have such a discussion in a ticket. Related to this ticket, that particular change didn't have anything to do with the security issue it just happened to be checked in at the same time.
        Hide
        Tim Miller Dyck added a comment -

        Thanks, will do.

        Show
        Tim Miller Dyck added a comment - Thanks, will do.

          People

          • Assignee:
            Unassigned
            Reporter:
            Philippe Lindheimer
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development