Freepbx 2.x Code Execution Exploit

ID 1337DAY-ID-21915
Type zdt
Reporter i-Hmx
Modified 2014-02-18T00:00:00


Exploit for php platform in category web applications

                                            App : Freepbx 2.x
download :
Author : i-Hmx
mail : [email protected]
Home : , secarrays ltd

Freepbx is famous asterisk based distro used world wide , it suffer from many vulns actually
simple one is included here just as a "knock knock" for the "schmoozecom" team ;)
Here you will see damn obvious PHP code Execution vuln , which can be upgraded to RCE and also dump all box's data
You can have a look if you are interested

File : admin/libraries/view.functions.php

function fileRequestHandler($handler, $module = false, $file = false){
global $amp_conf;

switch ($handler) {
case 'reload':
// AJAX handler for reload event
$response = do_reload();
header("Content-type: application/json");
echo json_encode($response);
case 'file':
/** Handler to pass-through file requests
* Looks for "module" and "file" variables, strips .. and only allows normal filename characters.
* Accepts only files of the type listed in $allowed_exts below, and sends the corresponding mime-type,
* and always interprets files through the PHP interpreter. (Most of?) the freepbx environment is available,
* including $db and $astman, and the user is authenticated.
if (!$module || !$file) {
//TODO: this could probably be more efficient
$module = str_replace('..','.', preg_replace('/[^a-zA-Z0-9-\_\.]/','',$module));
$file = str_replace('..','.', preg_replace('/[^a-zA-Z0-9-\_\.]/','',$file));

$allowed_exts = array(
'.js' => 'text/javascript',
'.js.php' => 'text/javascript',
'.css' => 'text/css',
'.css.php' => 'text/css',
'.html.php' => 'text/html',
'.php' => 'text/html',
'.jpg.php' => 'image/jpeg',
'.jpeg.php' => 'image/jpeg',
'.png.php' => 'image/png',
'.gif.php' => 'image/gif',

# [2018-04-14]  #