SAINT CorporationSAINT:39552A768A14F561C49AE81E9E058E30FreePBX Framework Module view.functions.php Remote Code Execution
0.965 High
EPSS
Percentile
99.6%
Added: 04/03/2014
CVE: CVE-2014-1903
BID: 65509
OSVDB: 103240
Background
FreePBX is an open source telephony front-end, which has an easy to use graphical user interface that controls and manages Asterisk.
Problem
The Framework module of FreePBX is vulnerable to remote code execution as a result of improper sanitization of user-supplied input. The vulnerability is triggered when input passed as arguments to the **config.php** script is not propery sanitized upon submission to the **admin/libraries/view.functions.php** script. FreePBX versions 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 are vulnerable.
Resolution
Upgrade to version 2.9.0.14, 2.10.1.15, 2.11.0.23, 12.0.1alpha22, or higher.
References
<http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice>
<http://issues.freepbx.org/browse/FREEPBX-7123>
<http://downloads.securityfocus.com/vulnerabilities/exploits/65509.php>
Limitations
The **telnet** application must exist on the target system.
Platforms
Linux
Related
