So there is a bit of a security concern I see with FreePBX and the call forwarding option - and there may be other options.
When I dial the number to do call forwarding, it asks for phone extension. This then allows me to put in ANY phone extension. Then it will ask for the location to forward to.
In essence, I could dial the feature code to do call forwarding, enter someone else’s extension - and set it up to call forward wherever I’d want.
Definite security issue here - is there a way that this can be resolved/fixed without removing the call forwarding feature?
Nobody knows how to circumvent this security issue? Certainly there must be a way - without fully disabling the call forwarding capability - to limit the call forwarding to the line you are calling in from.
Glad that someone has discovered that this is as large as a security flaw as I thought as well.
How can the patch be applied? I can see the .diff file when going to the ticket, but is it simply copy/pasted into a file - and how can the changes be made to the proper file?
I then did a *90 from my phone and it still asks for the extension - then the pound key. I did restart the asterisk process before trying - so not sure if anyone else tested this.
I also did a restart on the PBX server as well - and it still asks for extension and pound key.