I updated four modules yesterday to the latest version. They were Conferences Pro, Broadcast, UCP and Endpoint (Commercial). Upon reloading the GUI I was presented with a security warning:
Your have 1 tampered files
This is a critical issues and should be resolved urgently.
Module: “FreePBX Framework”, File: “/var/www/html/admin/.htaccess altered”
I did update Framework the previous day to the latest version but do not recall seeing this issue.
This is what is in my .htaccess file. It looks normal.
I have tried running:
amportal chown
amportal a ma refreshsignatures
amportal a r
But everything checked out OK.
Any ideas what is going on? This box is behind a firewall and is not exposed to the internet with the exception of Port 5060 which is restricted to only my provider IP addresses.
# License for all code of this FreePBX module can be found in the license file inside the module
directory
# Copyright 2013 Schmooze Com Inc.
#
SetEnv HTACCESS on
# Disallow all file access first
#
<FilesMatch "\..*$">
Deny from all
</FilesMatch>
# Now allow /admin, /admin/config.php and /admin/index.php as well as the various assets
#
<FilesMatch "(^$|index\.php|config\.php|ajax\.php|\.(gif|GIF|jpg|jpeg|png|css|js|swf|txt|ico|ttf|svg|e
ot|woff|wav|mp3|aac|ogg|webm|jar)$)">
Allow from all
</FilesMatch>
php_value max_input_vars 5000
php_value max_input_vars 10000
<?php
// License for all code of this FreePBX module can be found in the license file inside the module directory
// Copyright 2013 Schmooze Com Inc.
//
if (file_exists(dirname(__FILE__) . '/index_custom.php')) {
include_once(dirname(__FILE__) . '/index_custom.php');
} else {
$basename = pathinfo($_SERVER['PHP_SELF'],PATHINFO_DIRNAME);
$uri = (!empty($basename) && $basename != '/') ? $basename . '/ucp' : '/ucp';
header('Location: '.$uri);
(Would that not make sense to anyone reasonably using this software ?)
will throw up a hairball while comparing any modules against "what is allowed, because we say so and you are wrong to even think about wanting to do that" , come on guys at schmooze, please find a way to allow benign modification of your open source code to be accepted without steadfastly bitching about it. . .
True, the work around would be for most folks to edit the overloaded filer, but you would have to properly document how to edit
index_custom.php
No? If installed, ucp should without doubt be the default homepage, no muss no fuss . .
If you ask for approval you can edit to your hearts content as many have already done. We allow others to edit the files as long as they have a key and have signed our agreement ( Sangoma Documentation ). This system, as much as you probably absolutely hate it, helps to protect you and others from getting hacked because PHP is by far the easiest language to hack. Note that “disabling” said setting disables it temporarily, checking online or uploading a module will re-enable it for security reasons. How can anyone even remotely tell the different between a “benign” modification to a file and a compromised file? Who is to say that “file_get_contents” is or is not allowed in different areas? There’s no way to have a “you can edit all these files cause you are a good boy johnny, but you sally, you are bad, I know because…?”. As I stated, you can get your own GPG key and then fill out our agreement and publish and edit files to your hearts content.
This is not and never has been the reason this was created. Please step down off of your soapbox and meet me at a logical level. The concept for signature signing came about during the second to the last huge security vulnerability. It may not be perfect but when the ARI vulnerability came around the person who discovered it was on a beta release of FreePBX 12 and only discovered said vulnerability because they saw the message, so take it for what it’s worth.
vim index_custom.php
Not so hard is it?
I have never heard you mention that once before except now in this ranty message. (also take note that “schmooze” does not exist). Let’s take a step back and remember that you have the same privileges as all of the other users who report bugs and features requests and you can do it the same as all of them so how about instead of ranting you just report a request. That would be lovely.
This was a bug in Endpoint Manager, first update to the newest endpoint manager (commercial). Then after you’ve done that delete the line from “.htaccess” (php_value max_input_vars 10000). Everything should be good.
Two systems on which we updated modules this AM no have this problem. Both report 34 “tampered” files. This after a module update pass barfed code into the inset progress window. The aforementioned “amportal refreshsignatures” doesn’t work- amportal is deprecated and fwconsole doesn’t support that command.
Suggestions?
Edit to add: FreePBX framework is disabled due to the version. Here is what we get in the progress windows when we try to upgrade and enable:
directory
/var/www/html/admin/modules/framework/install.php
if (file_exists("$wr/admin/libraries/pest/index.php")) {
unlink("$wr/admin/libraries/pest/index.php");
}
// Prune any invalid files in assets or images
$obj = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator("$wr/assets", FilesystemIterator::SKIP_DOTS),
RecursiveIteratorIterator::SELF_FIRST
Thank you for the quick response, Andrew. Unfortunately, that didn’t resolve the problem- the process of updating/enabling FreePBX Framework still barfs the error above into the update progress window.
On one system Web Callback started causing a tamper warning after I picked up some additional module updates. We don’t use it so I removed it entirely.
