[Full-disclosure] freePBX 2.2.x's Music-on-hold Remote Code Execution Injection
I've found a code injection in the music-on-hold module at freePBX's portal. There are Inssuficient filters in the delete functions. Only " ' and ; are being filtered. Vulnerable Lines: 300: $rmcmd="rm -f "".$pathtodir."/". $del."""; 301: exec$rmcmd; Example code:...