If it only takes a minute why don’t you write a script that demonstrates this directory scanning procedure and share it? That way non-developer folks like myself can run it and let the developers know the results.
Here you go:
#!/bin/sh
if [ -z “$1” ]; then
echo Need a string as an argument
exit 1
fi
PASSWORD="$1"
find /var/www/html/|
cut -d/ -f5-|
while read url
do echo -en "Checking $url \r"
curl -sSi http://localhost/"$url" |
grep -q “$PASSWORD” && echo -e "\n"Found
done
You need to specify the string you are looking for as an argument ( usually your password 
It takes about 30 secs to finish on my install under Virtual Box
Fair enough I will run it in the morning.
So let me get this straight
You exploit requires the following
- Someone has to be able to log into the command line of the box.
- The need to search for a specific password that they would have to know in advance
Ok so what was referring to is in this bug report. http://www.freepbx.org/trac/ticket/5585
The ARI Admin Username and Password was exposed in the /recordings directory without being logged into the ARI. This was not exposed anywhere else and was not disclosing the Admin Username and Password as was stated in other forumns but the ARI admin username and password. This was introduced 3 days ago by a mistake and has been corrected in the latest ARI Framework module.
Please note this only effect 2.10 Beta customers and only people who updated the ARI module in the past 3 days.
My two cents,
first of all, SkykingOH, thanks for your patience in helping to get some useful information out of the post here. Also, thank you for your humbleness as you are WAY more important to this project and your contributions then you elude to!
As far as this issue, I would simply ask readers (and the reporter) who have gone this far in the future to approach this sort of issue with a bit more of a level head and remove the drama, accusations, confrontations, etc. It does no one any good and simply gets a lot of less knowledgable people who may be reading these blogs concerned without understanding the implications.
As Tony mentioned, this was published less than 3 days ago, it was reported yesterday and it was fixed and published this morning. It was a security issue though as Tony points out, an issue that was limited to the ARI admin credentials which gives access a wider range of call recordings and similar. That clearly makes it a security concern which are all taken seriously. That, or anything else, doesn’t really call for the "panic’ that seems to be running through some of the emotions here.
Thanks everyone who found this, reported it and helped track it down to get resolution!
Just another day at the office < < g > >
I’m pretty confused. I have several 2.10 PBXs running very smoothly, thank you. I use CSF and control who and what gets through via /etc/csf/csf.conf and /csf/csf.allow
If I leave 80 open today I am I safe, as of today, of hackers getting my password info through the URL bar?
I want to redirect https to /recordings and use some sort of hyper text access file to gain access to /admin
What is the best way to go about this? Simply setting a password in /var/www/html/htaccess does not make some CGI window pop up for authentication to grant privileges to the path beyond.
Thanks.
If the server is in a datacenter that is not really an option unless you then want to use OpenVPN or other things that complicate the setup.
This conversation should not be about how it’s connected because talking about security is a never ending debate.
THere may be known security flaws that have been fixed, but that doesn’t help you will all the security flaws that have yet to be discovered and reported.
As such, leaving http access open always poses risk.
The safest is to create a VPN for access.
Great job making a long post that has nothing to do with the topic of this thread and blaming the victim (as usual) for using the internet. All talk, no listen.
If you think that is a practical solution then why don’t you make http access via VPN the default? Build it right into the product if that is your solution to security. However you answer maybe it will make you think like the end user instead of blaming the internet.
Why don’t banks and google and anyone else with a website or any kind of http access all do this? Because it’s not practical and if you disagree then I’m sure you will have no problem just including it by default with FreePBX installs. Make OpenVPN a requirement on Linux and including a module to hook in…because you apparently think that is the solution to http security so why not?!
mustardman,
I’m not sure what your point is. This issue was discovered, reported and fixed.
My point is pretty straight forward, which is that I obviously can’t tell you of the security flaws that have not been discovered. Telling you anything else would be a lie. Thus if you want to be really safe, using a VPN is the way to go.
None of us developers want to or plan on dictating what VPN you should use, if any. Furthermore, we are actually open to feedback and fixing things in FreePBX and the distro and over time have put more and more in to try and make it safer. With all that said, I would be doing the whole community an injustice if I told you to simply go for it, we’ve found everything we can find so you should be safe, when I know the project does not have the manpower and security expertise to do that.
I don’t think there is really much more to say, it is what it is and we do what we can.
Keep in mind that with the tremendous resources that financial institutions have to invest in security you still hear about data leaks.
Google is a bad example, you would be brain dead to put any sensitive information in a system hosted by Google.
My bank offers an access option with 2 factor authentication (with a key fob to generate the second factory) to it’s private banking customers. I feel much more secure with this approach. So clearly the bank does not completely trust the webapps or they would not go through the expense of this option.
FreePBX is just a small team of developers building a web interface and PBX functionality for Asterisk. Frankly folks use it in ways never imagined (this whole Amazon EC2 thing has me stunned, the move to virtualization is one of the fastest trends I have seen in my 30+ years in the industry) and the community is encouraged to assist in any hardening that is desired.
I have always said I want the developers building PBX features, not concentrating on security.
One other thing, the sysadmin module is one of the examples of a balance of security vs convenience. To me this is so far outside the scope of the FreePBX franchise it should have never been done. If you can’t type ‘system-config-network’ perhaps setting up an IP PBX is outside your pay grade. However, it was done so here we are. Just another example of the balance that is asked of the team.