0 Items

FreePBX Security Threat Discovered; Solution Proposed

May 16, 2011 | IP PBX (Private Branch Exchange) Product News, VoIP PBX News and Blog

Our friends on the Elastix development team at Palosanto have just informed us that a security threat has been discovered. It affects servers running Elastix versions 1.5 and 1.6. The security breach allows remote users to write files on the server’s hard drive through FreePBX . This action involves two different security problems:

  1. the first problem allows access to the FreePBX “not embedded” interface with administrator privileges
  2. the second problem allows a user to write files on the file system, through the administrator FreePBX “not embedded” interface

The first threat was solved at the end of 2010. The solution to the second problem can be found at http://elx.ec/secalert052011). The update amends the problems mentioned above and is available in the Elastix update repository. The update can be executed through console by running the command “yum update freePBX” or from the Elastix updates Web interface.

Friendly Reminder to “Do-it-Yourselfers”

It is our strong recommendation that you upgrade the FreePBX only via Elastix RPM packages — not through the “not embedded” interface. Updating FreePBX from the “not embedded” interface can overwrite important changes in RPM packages distributed with Elastix.