1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Check out the 6 new Certified Incredible PBX Builds for Asterisk 11 and 13 featuring CentOS 6, Ubuntu 14, Raspberry Pi 2, and Asterisk-NOW.
    Dismiss Notice

ALERT FreePBX Vulnerability

Discussion in 'Bug Reporting and Fixes' started by wardmundy, Feb 6, 2014.

  1. wardmundy

    wardmundy Nerd Uno


    We strongly recommend that you immediately upgrade your FreePBX Framework module to address this vulnerability. As all servers should be, PIAF and Incredible PBX servers sitting behind hardware-based firewalls with no HTTP (port 80) exposure are protected from outside attacks. Similarly, systems that have deployed Travelin' Man 3 are protected from anonymous HTTP attacks. Purely from an academic standpoint, we differ a bit on the scope of this vulnerability on PIAF systems (NOT Raspberry Pi and Beaglebone platforms!) because of the PIAF Apache authentication mechanism that generally protects FreePBX resources on PIAF servers; however, everyone should install the upgrade to be absolutely secure... especially Incredible PBX users on the Raspberry Pi and Beaglebone platforms! UPDATE: This upgrade is automatically pushed to all Incredible PBX systems on the first root login.
    amportal a modadmin upgrade framework
    amportal a r
    Very nice job by the FreePBX Dev Team in highlighting security issues in the FreePBX GUI now!!

  2. mcbsys

    mcbsys Guru

    A little update/feedback on handling this.

    1. The blog post's comments warn of possible issues with PHP below 5.3. Sounds like that was fixed in an update to the update but I wanted to check. Easy: go to the FreePBX admin page and select Reports > PHP Info. The header lists the PHP version (5.3.10 in my case).

    2. I currently have FreePBX The security update is NOT called out as shown above. All I see is this:

    3. One thing I love about PiaF is that for the most part I can forget about it, treat it like an appliance. At the moment, it's been up for 35 weeks. All this client needs is to make and receive calls on three phones, so the gazillion module updates are usually unnecessary. And it just works--I almost never log on to the UI. However I do want to apply security fixes, just to be safe. It would be nice if when FreePBX emails me the "New Online Updates Available," it would highlight any that are security-related so I would know to pay attention...

    Updating the 49 modules seems to have gone well except for a "symlink from modules failed" issue that I will post separately.
    wardmundy likes this.
  3. tm1000

    tm1000 Schmoozecom INC/FreePBX

    For clarification on security related issues (and since I don't want people to think their systems are 'broken'), the orange notice and email messages about security vulnerabilities are only included in FreePBX 2.11, you will not see any of those messages or notices in anything 2.10 or lower.

    So actually #2 and #3 are already done and have been for quite some time.

    (side note, #1 is also officially fixed and has been for a week, the official notice of the fix is me saying it right now)
    wardmundy, leemason and mcbsys like this.
  4. MartyAtParsec

    MartyAtParsec New Member

    Okay, so the "official notice" mechanism is buried in a blog post response chain? Is there maybe some other way to do this?
  5. In addition to the official CVE You can also follow the Schmooze/FreePBX Status Blog located at http://schmoozestatus.tumblr.com we will be including official notices on that blog, please notice it is purposly built outside our infrastructure (hence the tumblr.com blog ). You can follow using the RSS Feed http://schmoozestatus.tumblr.com/rss as well. We will also typically include these announcements in our email newsletters, which you can get by signing up for a forum account at freepbx.org.
  6. tm1000

    tm1000 Schmoozecom INC/FreePBX

    If I made an official notice of every commit I do to this project I would never get any work done. You can follow our commit logs if you wish. They are on http://www.github.com/freepbx

    wardmundy and james like this.
  7. l4cky

    l4cky Member

    I typed in amportal a modadmin upgrade framework Asterisk CLI but it says No such command 'amportal a modadmin upgrade framework' (type 'core show help amportal a' for other possible commands).
    Does that mean I need to type core show amportal a modadmin upgrade framework ?
  8. lgaetz

    lgaetz Pundit

    The 'amportal' command is for the Linux CLI not the Asterisk CLI.
  9. l4cky

    l4cky Member

    root@pbx:~# amportal a modadmin upgrade framework
    Please wait...
    Downloading 3425055 of 3425055 (100%) 
    Module framework successfully downloaded
    Module framework successfully installed
    chattr: Operation not supported while reading flags on /var/www/html/cxpanel
    chattr: Operation not supported while reading flags on /var/www/html/provisioning

    um... help..
  10. wardmundy

    wardmundy Nerd Uno

    l4cky: Unless you really know what you are doing, upgrade FreePBX modules from within the Module Admin component of the FreePBX GUI, not from the Linux CLI. You haven't damaged anything thus far so head back onto the reservation and upgrade everything else from there. :red indian:
    Huckda likes this.
  11. wardmundy

    wardmundy Nerd Uno

Share This Page