Telephone Reminders patch has been pushed out to all Incredible PBX servers. All you'll have to do is log out and log back in as root, and the patch will be applied.
As for the vulnerability itself,
the notes to the post make clear: "
Access to reminders/index.php requires 'maint' password." That is exactly right. Your
maint password validated with Apache security has
ALWAYS been required to access the web interface to Telephone Reminders with Incredible PBX running under PBX in a Flash. Most Incredible PBX implementations randomize the maint password. Older versions with default password are no longer available from trusted sources. The web interface to Telephone Reminders was never designed for exposure to the Internet!
Suffice it to say, if your
maint password has been compromised on any PBX in a Flash server, you've basically sold the farm. It's the functional equivalent of handing out the root password for the FreePBX GUI to the world. Reminders would be the least of your problems! It would provide the ability to compromise your Asterisk setup, your FreePBX configuration, and numerous MySQL databases. In short, your entire server could and probably would be hosed!
For this year's releases of Incredible PBX that do not run under PBX in a Flash and rely instead upon FreePBX security, the IPtables WhiteList firewall configuration of Incredible PBX protects your server from
all users except those on your
trusted private LAN and those you specifically authorized to access your server. If you have to worry about those users, you need to find a new job or some new friends.
Finally, this exploit assumes you have no hardware or software firewall in place, a circumstance which should NEVER occur! Only in such cases would this exploit give an attacker asterisk user privileges to your server, the same privileges already enjoyed by anyone having access to the FreePBX GUI including the FreePBX Dev Team.
Code:
cd /var/www/html/reminders
cp index.php /root/index-oldreminders.php
wget http://incrediblepbx.com/reminder-patch.tar.gz
tar zxvf reminder-patch.tar.gz
rm -f reminder-patch.tar.gz
See also this post on the
FreePBX Forum.