Page tree
Skip to end of metadata
Go to start of metadata

SEC-2016-004

Overview:

Directory Traversal in Delete in Music on Hold. Requires Administrative login

Discovered By:

Douglas Goddard <douglas(dot)gastonguay(at)gmail(dot)com>

Impact:

CVSS 3 Details:

  • Base Score: 5.0
  • Temporal Score: 4.5
  • Environmental Score: 4.2

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C/CR:L/IR:M/AR:X/MAV:N/MAC:H/MPR:H/MUI:N/MS:U/MC:L/MI:H/MA:N

Vulnerable software and versions:

The versions listed below (or less than)

  • < music v12.0.1

Note: Music in FreePBX 13 is not affected in any version. The following versions of fixes:

  • >= music v12.0.2

Related Information

-N/A

Further Details:

An administrator can delete anything owned by the asterisk user via a directory traversal vulnerability in the hold music deletion feature. This can be accessed from Settings > Music on Hold. You can craft a special request that targets files outside of the hold music dir.

Sangoma strongly encourages all users of FreePBX 12 to upgrade to the latest Music on Hold version. This can be done from the Module Admin GUI or the CLI. For more information on using Module Admin, please see Module Admin User Guide.

Sangoma takes security seriously and request that any future FreePBX security issue be reported at security@freepbx.org.

  • No labels