Greetings,
In the FreePBX Notices box, I noticed an error under cronmanager referencing a file in /tmp/ that looked suspicious. Investigating I found base64decode with typical obfuscated PHP, this particular one showed a failure error; but I found the same code in another file within the webroot.
Decoding the string I found obvious exploit code present. The code obviously is explicitly targetting FreePBX by attempting to extract the amportal username/password from configuration.
I’d be happy to share this with the development team, but I don’t feel it’s appropriate to post the exploit code on a public forum.
Are there any known issues which could allow code upload to /tmp/ then using cronmanager to copy those files to the webroot for later execution.