FreePBX Security Vulnerability

wardmundy · #1 04-20-10, 07:30 PM

There is a very serious security vulnerability that needs to be patched by loading the very latest version of FreePBX Framework as soon as it becomes available for your version of FreePBX. Just displaying a CDR report in the FreePBX browser could compromise your system.

The 2.5 and 2.6 patches already have been released and probably 2.7 as well. Load this patch IMMEDIATELY!!!

Setup, Module Admin, Check for Updates on Line, Upgrade All

2.5.2.3: #4223 Security Vulnerability
2.6.0.2: #3805, #3707, #4188, #4223 Security Vulnerability

tm1000 · #2 04-20-10, 07:54 PM

Thanks!!

jtjacobs · #3 04-20-10, 09:44 PM

Thanks for the Alert

jehowe · #4 04-20-10, 09:54 PM

Thanks for the heads up Ward, the 2.7 (2.7.0.2) framework update was available.

It must be really bad, trivial, or both. The FreePBX note for this bug is- "details not provided to minimize exposure"

mruge · #5 04-20-10, 09:56 PM

Done and Done! Thanks Ward!

jtjacobs · #6 04-20-10, 11:49 PM

So, after I applied the patch, FreePBX started complaining about a default SQL password and a default Asterisk Manager Password. Should I just run passwd-master again?

jroper · #7 04-21-10, 12:26 AM

Hi

That's normal behaviour, and not an issue - they are only listening to localhost, so if some one gets that far, the AMI, and the database are the least of your worries.

Leave it all as it is.

Joe

wardmundy · #8 04-21-10, 06:07 AM

Originally Posted by jtjacobs

So, after I applied the patch, FreePBX started complaining about a default SQL password and a default Asterisk Manager Password. Should I just run passwd-master again?

This thread will show you how to remove the warning messages.

wardmundy · #9 04-21-10, 08:26 AM

Just released an updated Incredible PBX that incorporates the security fix.

dswartz · #10 04-21-10, 10:30 AM

I'd love to know what the bug was - I have never been a fan of security through obscurity