1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Please read our transition notice before posting support questions. Thanks.

ALERT FreePBX Vulnerability

Discussion in 'Bug Reporting and Fixes' started by wardmundy, Feb 6, 2014.

  1. wardmundy Nerd Uno


    We strongly recommend that you immediately upgrade your FreePBX Framework module to address this vulnerability. As all servers should be, PIAF and Incredible PBX servers sitting behind hardware-based firewalls with no HTTP (port 80) exposure are protected from outside attacks. Similarly, systems that have deployed Travelin' Man 3 are protected from anonymous HTTP attacks. Purely from an academic standpoint, we differ a bit on the scope of this vulnerability on PIAF systems (NOT Raspberry Pi and Beaglebone platforms!) because of the PIAF Apache authentication mechanism that generally protects FreePBX resources on PIAF servers; however, everyone should install the upgrade to be absolutely secure... especially Incredible PBX users on the Raspberry Pi and Beaglebone platforms! UPDATE: This upgrade is automatically pushed to all Incredible PBX systems on the first root login.
    amportal a modadmin upgrade framework
    amportal a r
    Very nice job by the FreePBX Dev Team in highlighting security issues in the FreePBX GUI now!!

    Last edited by wardmundy, Feb 7, 2014
  2. mcbsys Guru

    A little update/feedback on handling this.

    1. The blog post's comments warn of possible issues with PHP below 5.3. Sounds like that was fixed in an update to the update but I wanted to check. Easy: go to the FreePBX admin page and select Reports > PHP Info. The header lists the PHP version (5.3.10 in my case).

    2. I currently have FreePBX The security update is NOT called out as shown above. All I see is this:

    3. One thing I love about PiaF is that for the most part I can forget about it, treat it like an appliance. At the moment, it's been up for 35 weeks. All this client needs is to make and receive calls on three phones, so the gazillion module updates are usually unnecessary. And it just works--I almost never log on to the UI. However I do want to apply security fixes, just to be safe. It would be nice if when FreePBX emails me the "New Online Updates Available," it would highlight any that are security-related so I would know to pay attention...

    Updating the 49 modules seems to have gone well except for a "symlink from modules failed" issue that I will post separately.
    Last edited by mcbsys, Feb 17, 2014
    wardmundy likes this.
  3. tm1000 Schmoozecom INC/FreePBX

    For clarification on security related issues (and since I don't want people to think their systems are 'broken'), the orange notice and email messages about security vulnerabilities are only included in FreePBX 2.11, you will not see any of those messages or notices in anything 2.10 or lower.

    So actually #2 and #3 are already done and have been for quite some time.

    (side note, #1 is also officially fixed and has been for a week, the official notice of the fix is me saying it right now)
    wardmundy, leemason and mcbsys like this.
  4. MartyAtParsec New Member

    Okay, so the "official notice" mechanism is buried in a blog post response chain? Is there maybe some other way to do this?
  5. tm1000 Schmoozecom INC/FreePBX

    If I made an official notice of every commit I do to this project I would never get any work done. You can follow our commit logs if you wish. They are on http://www.github.com/freepbx

    wardmundy and james like this.
  6. l4cky Member

    I typed in amportal a modadmin upgrade framework Asterisk CLI but it says No such command 'amportal a modadmin upgrade framework' (type 'core show help amportal a' for other possible commands).
    Does that mean I need to type core show amportal a modadmin upgrade framework ?
  7. lgaetz Pundit

    The 'amportal' command is for the Linux CLI not the Asterisk CLI.
  8. l4cky Member

    root@pbx:~# amportal a modadmin upgrade framework
    Please wait...
    Downloading 3425055 of 3425055 (100%) 
    Module framework successfully downloaded
    Module framework successfully installed
    chattr: Operation not supported while reading flags on /var/www/html/cxpanel
    chattr: Operation not supported while reading flags on /var/www/html/provisioning

    um... help..
    Last edited by l4cky, Feb 24, 2015
  9. wardmundy Nerd Uno

    @l4cky: Unless you really know what you are doing, upgrade FreePBX modules from within the Module Admin component of the FreePBX GUI, not from the Linux CLI. You haven't damaged anything thus far so head back onto the reservation and upgrade everything else from there. :red indian:
    Huckda likes this.
  10. wardmundy Nerd Uno

Share This Page