Limited system information exposure

(TheJames) #1

Reported: 10/23/2013
Component: Framework
Fix Released: 10/23/2013
Exposure level: Low

A potential information exposure has been brought to our attention by a member of the community. Through a specially crafted URL an attacker who has access to http on your system could expose the Asterisk Manager and MySQL passwords. Since access using the exposed passwords is locked down to local system access there is nothing useful the attacker could do with these. If you have modified your system to allow open remote access to AMI or Mysql with these same credentials there would be additional risks. There is no known exploit using this information. Also absolutely no trunk or extension secrets are revealed. It is anyhow recommended that users update to the latest version of Framework for their release which has addressed this.

As always, best security practices are recommended.

  • Eliminate public exposure of your system wherever possible.
  • Limit necessary exposure to known IP addresses whenever possible.
  • Keep your system up to date.

Security is a #1 priority with Schmooze and the FreePBX team. If you find any potential security issues please report them to [email protected]

Affected versions:

  • 2.9
  • 2.10
  • 2.11
  • 12

Fixed Framework module versions:

  • 12.0.1rc37

Thank you for using FreePBX

(TheJames) unpinned #4