We were recently informed of an exploit on one of the PBX in a Flash add-ons used with IncrediblePBX, and have detected that this attack is being used in the wild. The exploit must get through PIAF’s http authentication but it’s common to find systems that use the default installation password which is widely known.
This module is not used on any FreePBX Distros nor is it available from our online repository, but since there is a population of PIAF users who may be affected by this we want to make sure everyone is aware of the issue.
Additionally, if you have changed your machine from a PIAF machine to a FreePBX machine and not removed this module, you will also be vulnerable.
If you do not use IncrediblePBX and have not added on any of its components you may generally ignore this.
Users should make sure they are not using the default or other insecure password.
Users should update as soon as the IncrediblePBX developers make an update available.
Users may wish to remove this component if not used.
HTTP Auth can be generally insecure. Do not rely on a secure password with apache to protect you completely.
NOTE: This only affects users using the component mentioned in the link below and does NOT affect other FreePBX installations
Please see: http://seclists.org/bugtraq/2014/Oct/128 for additional information.