FreePBX 'admin/config.php' Remote Code Execution Vulnerability Network Vulnerability

Summary

FreePBX is prone to a remote code-execution vulnerability.

Impact

Successfully exploiting this issue will allow attackers to execute arbitrary code in the context of the affected application. Failed exploit attempts may result in a denial-of-service condition.

Solution

Updates are available.

Insight

admin/libraries/view.functions.php does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.

Affected

FreePBX versions 2.9, 2.10, 2.11, and 12 are vulnerable.

Detection

Try to execute a command with a sprecial crafted HTTP GET request.

References

http://freepbx.org
http://www.securityfocus.com/bid/65509

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-1903
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

artmedic_links5 File Inclusion Vulnerability
Apache Struts2 Redirection and Security Bypass Vulnerabilities
Apple Safari PDF Javascript Security Bypass Bypass Vulnerability
Ad Manager Pro Multiple SQL Injection And XSS Vulnerabilities
'research_display.php' SQL Injection Vulnerability

Take action and discover your vulnerabilities