Security Issues with Call Forwarding Abilities

So there is a bit of a security concern I see with FreePBX and the call forwarding option - and there may be other options.

When I dial the number to do call forwarding, it asks for phone extension. This then allows me to put in ANY phone extension. Then it will ask for the location to forward to.

In essence, I could dial the feature code to do call forwarding, enter someone else’s extension - and set it up to call forward wherever I’d want.

Definite security issue here - is there a way that this can be resolved/fixed without removing the call forwarding feature?

Nobody knows how to circumvent this security issue? Certainly there must be a way - without fully disabling the call forwarding capability - to limit the call forwarding to the line you are calling in from.

This is an amazing oversight in security. We’re bumping this thread in hopes someone has a solution.

We added a simple patch that comments out the portion of code that allows one to select an extension. You can find it in the Trac here:

Whether it’s accepted or not, I’d love an explanation either way.

Glad that someone has discovered that this is as large as a security flaw as I thought as well.

How can the patch be applied? I can see the .diff file when going to the ticket, but is it simply copy/pasted into a file - and how can the changes be made to the proper file?

Just added the PHP commenting lines in the appropriate place - all seems good.

So I put the patch in as indicated.

I then did a *90 from my phone and it still asks for the extension - then the pound key. I did restart the asterisk process before trying - so not sure if anyone else tested this.

I also did a restart on the PBX server as well - and it still asks for extension and pound key.