Hacking with web-user injection. Webinterface does not always ask for credentials

Bas,
I see that you opened a support ticket with us earlier today, and we will continue communication through that ticket while we investigate.

In the future, the best place to report potential security issues with FreePBX is going to be issues.freepbx.org. When reporting information to issues.freepbx.org in the future, do NOT put personal information such as SSH information in the ticket. Once the ticket is reviewed if it’s security related it will be locked to Schmooze Staff and investigated further.

Are you sure you are not modifying things as I just tried this same attack vector on a brand new install and nothing happens. It gets blocked.

Am I being punked or something? You did not think to tell us this sooner. Does your backup include webroot in the backup? If yes then the backup will have whatever files were on their old system.

Well you are making some changes somewhere beyond just a backup/restore.

Locking this thread as the user in question was updating FreePBX to the highest version then replacing the webroot with a custom modified version of FreePBX dated August 2013 which is not updated to protect against the vulnerabilities we’ve patched.