-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 13, 14, 15
-
Fix Version/s: None
-
Component/s: Follow Me
-
Labels:None
The *21 findme/followme toggle feature code is exposed to the external side of the dialplan.
*CLI> dialplan show *212000@from-pstn
[ Included context 'ext-findmefollow' created by 'pbx_config' ]
'_*21X!' => hint: Custom:FOLLOWME${EXTEN:3} [extensions_additional.conf:1310]
1. Goto(app-fmf-toggle,*21,1) [extensions_additional.conf:1309][ Included context 'ext-did-catchall' created by 'pbx_config' ]
'.' => 1. Set(_FROM_DID=${EXTEN}) [extensions_additional.conf:2791]
2. Noop(Received an unknown call with DID set to ${EXTEN}) [extensions_additional.conf:2792]
3. Goto(s,a2) [extensions_additional.conf:2793]
= 2 extensions (5 priorities) in 2 contexts. =
this is generated by FreePBX at the top of the ext-findmefollow context, which is included by from-did-direct, included by from-pstn.
Impact is limited because the feature code requires the caller ID to match a PBX extension, which should be prevented by SIP configuration (SIP extensions have to authenticate). Nevertheless, there seems to be the possibility of exploit, as I looked into this after seeing *21XXXX records incoming in my CDR.
