Affected Products
All Xorcom IP-PBX models (XR1nnn, XR2nnn, XR3nnn, XE2nnn, XE3nnn) running Elastix 1.x
Problem
Protect Your Elastix Server from Infiltrators
It recently came to our attention that it is possible to login to the Elastix server unembedded FreePBX Web interface (http://address/admin) with user name ‘asteriskuser’ and password ‘eLaStIx.asteriskuser.2oo7’. The user name and password are the same user name and password used by FreePBX to access the ‘asterisk’ MySQL database. They are defined in the parameters AMPDBUSER and AMPDBPASS in the /etc/amportal.conf file.
Note: The option to log in with AMPDBUSER and AMPDBPASS is a standard feature of FreePBX. While the original Elastix FreePBX package contains a patch to close this ‘back door’, the FreePBX modules update operation overwrites the patch and the back door is re-opened.
The problem is that most Elastix users do not change the default password, and some immoral people have discovered this security breach and can use it to make calls at someone else’s expense. The procedure of changing password is a little bit complicated. It is not sufficient to define a new password in the /etc/amportal.conf file, the MySQL settings must also be changed.
Solution
In response to this security threat Xorcom has developed a simple script that allows Elastix users to change the password easily. In order to install the script, do the following:
cd /tmp
wget http://updates.xorcom.com/~xorcom/xr-addons-1.00-0.noarch.rpm
rpm -Uvh xr-addons-1.00-0.noarch.rpm
ampasswd new_your_password
