1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.
  4. Critical FreePBX vulnerability! Update your server immediately. Details here.

ALERT New FreePBX Vulnerability

Discussion in 'Bug Reporting and Fixes' started by wardmundy, Feb 6, 2014.

  1. wardmundy Nerd Uno

    [IMG]

    We strongly recommend that you immediately upgrade your FreePBX Framework module to address this vulnerability. As all servers should be, PIAF and Incredible PBX servers sitting behind hardware-based firewalls with no HTTP (port 80) exposure are protected from outside attacks. Similarly, systems that have deployed Travelin' Man 3 are protected from anonymous HTTP attacks. Purely from an academic standpoint, we differ a bit on the scope of this vulnerability on PIAF systems (NOT Raspberry Pi and Beaglebone platforms!) because of the PIAF Apache authentication mechanism that generally protects FreePBX resources on PIAF servers; however, everyone should install the upgrade to be absolutely secure... especially Incredible PBX users on the Raspberry Pi and Beaglebone platforms! UPDATE: This upgrade is automatically pushed to all Incredible PBX systems on the first root login.
    Code:
    amportal a modadmin upgrade framework
    amportal a r
    
    Very nice job by the FreePBX Dev Team in highlighting security issues in the FreePBX GUI now!!

    [IMG]
    Last edited by wardmundy, Feb 7, 2014
    mcbsys, snarpatroid and hecatae like this.
  2. mcbsys Guru

    A little update/feedback on handling this.

    1. The blog post's comments warn of possible issues with PHP below 5.3. Sounds like that was fixed in an update to the update but I wanted to check. Easy: go to the FreePBX admin page and select Reports > PHP Info. The header lists the PHP version (5.3.10 in my case).

    2. I currently have FreePBX 2.10.1.10. The security update is NOT called out as shown above. All I see is this:
    FreePBX.2.10.png

    3. One thing I love about PiaF is that for the most part I can forget about it, treat it like an appliance. At the moment, it's been up for 35 weeks. All this client needs is to make and receive calls on three phones, so the gazillion module updates are usually unnecessary. And it just works--I almost never log on to the UI. However I do want to apply security fixes, just to be safe. It would be nice if when FreePBX emails me the "New Online Updates Available," it would highlight any that are security-related so I would know to pay attention...

    Updating the 49 modules seems to have gone well except for a "symlink from modules failed" issue that I will post separately.
    Last edited by mcbsys, Feb 17, 2014
    wardmundy likes this.
  3. tm1000 Schmoozecom INC/FreePBX

    For clarification on security related issues (and since I don't want people to think their systems are 'broken'), the orange notice and email messages about security vulnerabilities are only included in FreePBX 2.11, you will not see any of those messages or notices in anything 2.10 or lower.

    So actually #2 and #3 are already done and have been for quite some time.

    (side note, #1 is also officially fixed and has been for a week, the official notice of the fix is me saying it right now)
    wardmundy, leemason and mcbsys like this.
  4. MartyAtParsec New Member

    Okay, so the "official notice" mechanism is buried in a blog post response chain? Is there maybe some other way to do this?
  5. tm1000 Schmoozecom INC/FreePBX

    If I made an official notice of every commit I do to this project I would never get any work done. You can follow our commit logs if you wish. They are on http://www.github.com/freepbx

    wardmundy and james like this.

Share This Page