Our friends on the Elastix development team at Palosanto have just informed us that a security threat has been discovered. It affects servers running Elastix versions 1.5 and 1.6. The security breach allows remote users to write files on the server’s hard drive through FreePBX . This action involves two different security problems:
- the first problem allows access to the FreePBX “not embedded” interface with administrator privileges
- the second problem allows a user to write files on the file system, through the administrator FreePBX “not embedded” interface
The first threat was solved at the end of 2010. The solution to the second problem can be found at http://elx.ec/secalert052011). The update amends the problems mentioned above and is available in the Elastix update repository. The update can be executed through console by running the command “yum update freePBX” or from the Elastix updates Web interface.
Friendly Reminder to “Do-it-Yourselfers”
It is our strong recommendation that you upgrade the FreePBX only via Elastix RPM packages — not through the “not embedded” interface. Updating FreePBX from the “not embedded” interface can overwrite important changes in RPM packages distributed with Elastix.