Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-9850

Change inadvertantly removed limitation on invalid conference pins

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 12, 13
    • Fix Version/s: 12, 13
    • Component/s: Conferences
    • Labels:
      None
    • ToDo:
    • Distro:
      FreePBX Distro

      Description

      Change to /var/www/html/admin/modules/conferences/functions.inc.php in commit ec75713620b833dcb363d715884226dd4e50fd81 causes pin failure to loop back too early so that PINCOUNT is reset to 0 (zero) @ line 287.

      Consequently, there is no longer a limit on invalid pin entry and hackers are running up Toll Free bills while sequentially hacking conference pins. THIS IS A CRITICAL SECURITY ISSUE!

      Would recommend this, or similar, fix:

      
288c288
<                                       $ext->add($contextname, $roomnum, 'RETRYPIN', new ext_read('PIN','enter-conf-pin-number'));
---
>                                       $ext->add($contextname, $roomnum, '', new ext_read('PIN','enter-conf-pin-number'));
300c300
<                                       $ext->add($contextname, $roomnum, '', new ext_goto('RETRYPIN'));
---
>                                       $ext->add($contextname, $roomnum, '', new ext_goto('READPIN'));

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                tm1000 Andrew Nagy
                Reporter:
                tlum tlum
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.