We also received notification. We updated all servers this morning to version 13.0.197.13 and 14.0.13.11.
As we were finishing, we noticed that the servers now show they need updated again from version 13.0.197.13 to 13.0.197.14 and version 14.0.13.11 to 14.0.13.12
We are in the process now of going back through all servers again. Are version 13.0.197.13 and 14.0.13.11 still vulnerable?
Can it be confirmed that version 13.0.197.14 and 14.0.13.12 are patched?
Thank you
In the early days of FreePBX, there were several vulnerabilities similar to this one, where a specially crafted request to a specific page in the admin tree could bypass authentication or run arbitrary code.
In version 2.x, the system was changed to replace the PHP-based logic with regular Apache digest authentication (htaccess / htpasswd). This is simpler, gets much more peer review than FreePBX, and has a good record of remaining secure.
Why was this switched back to use a custom login screen?
“webserver” seems to give the most flexibility, in that it asks Apache to handle the authentication while the usermanager module does the authorization.
In that way you could use any Apache auth module, not just basicauth. Plug in a SSO service, or PAM and auth against your Linux password file, 2FA, etc…
“Apache digest authentication (htaccess / htpasswd)” was added a long time ago. It was never the default and it shouldn’t be. The custom login screen has always been the default. You can never logout from apache digest authentication.
It’s still an option if you wish to use it (as pointed out by Bill)… however.
The single issue with this is that you’d still be unable to logout
(The solution in the stack overflow is send a 401, problem there is the 401 is logged and picked up by fail2ban)
If it was the end/all/be/all you’d see facebook, google, linkedin, etc. using it. There’s a reason websites (FreePBX is a website) don’t use Digest Authentication.
Furthermore. When you use Digest Authentication you end up breaking many commercial modules of FreePBX. Namely Zulu. Zulu would break completely, so could contact manager images on your phone. The API module would also be useless. This is because all of these modules run through config.php. “Digest Authentication” locks down config.php.
If you want to enable it and you don’t use commercial modules and you don’t mind that you can essentially NEVER logout (there’s no session to clear!) and you don’t mind not being able to set your language in FreePBX or Locale and you are a hobbyist then go for it!
** I spent a day trying to get Digest Authentication to work with FreePBX a couple of years ago, there are many issues with it.