Home » Forums » Community Edition » Open Discussion

WARNING!! trixbox is vulnerable to SQL injection!!

mickecarls
Posts: 98
 Member Since:
2006-10-19
Submitted by mickecarls on Tue, 02/02/2010 - 11:37pm.

On 15/1/2010 a security advisory was released for FreePBX version 2.5.1, named PBXconfig in trixbox, (and potentially earlier versions) concerning a SQL injection vulnerability. If you are running this version then I would suggest immediately upgrading to version 2.5.3. You can find more details of the vulnerability here http://marc.info/?l=full-disclosure&m=126385082917779&w=2

FreePBX 2.5 was updated promptly and all systems running the real FreePBX 2.5 could download the fix immediately. The fix has been out since January 14.

However, there are no fixes in trixbox to correct this. For those who are fortunate to read patches and implement them read here http://www.freepbx.org/trac/changeset/8615 and here http://www.freepbx.org/trac/changeset/8622

andrew, I suggest that you take this seriously and release your patched version of FreePBX as soon as possible.

Mikael Carlsson
FreePBX Development Team

‹ Switch between 2 trixbox pfSense - Fail2ban -- QOS/TOS Values ›


joshpatten
Posts: 733
 Member Since:
2007-01-20
bump
Wed, 02/03/2010 - 2:15pm

bump



dbierce
Posts: 20
 Member Since:
2009-10-01
Bump indeed. Or make a way
Wed, 02/03/2010 - 2:41pm

Bump indeed. Or make a way to submit patches into mainline.



andrew
Posts: 1472
 Member Since:
2006-05-30
No need for alarm.
Wed, 02/03/2010 - 6:46pm

Thanks for pointing this out. This bug does not affect trixbox users as much because the trixbox web interface is shielded behind an Apache password. Even if the web interface of a trixbox was open to the internet the attacker would need to know the admin password to attack a trixbox using this exploit.

None the less this is a serious security hole and I have added your patch to PBXconfig. trixbox users should go into PBX setting -> module admin and upgrade the core module to 5.5.2.3

Thanks again for point this out. Your help is always appreciated.



nycmaster
Posts: 47
 Member Since:
2009-09-30
Oh no...
Fri, 02/19/2010 - 9:36pm

After running core module update 5.5.2.3 I'm getting following error message when clicking "Applying Configuration Changes" Anyone has any ideas?

Reload failed because retrieve_conf encountered an error: 255
exit: 255

Checking for PEAR DB..OK
Checking for PEAR Console::Getopt..OK
Checking for /etc/amportal.conf ..OK
Bootstrapping /etc/amportal.conf ..OK
Parsing /etc/amportal.conf ..OK
Parsing /etc/asterisk/asterisk.conf ..OK
Connecting to database..OK
Connecting to Asterisk manager interface..OK
Added to globals: ASTETCDIR = /etc/asterisk
Added to globals: ASTMODDIR = /usr/lib/asterisk/modules
Added to globals: ASTVARLIBDIR = /var/lib/asterisk
Added to globals: ASTAGIDIR = /var/lib/asterisk/agi-bin
Added to globals: ASTSPOOLDIR = /var/spool/asterisk
Added to globals: ASTRUNDIR = /var/run/asterisk
Added to globals: ASTLOGDIR = /var/log/asterisk
Added to globals: CWINUSEBUSY = true
Added to globals: AMPMGRUSER = admin
Added to globals: AMPMGRPASS = amp111

Fatal error: Class 'ext_stopmixmonitor' not found in /var/www/html/admin/modules/core/functions.inc.php on line 1326

1 error(s) occured, you should view the notification log on the dashboard or main screen to check for more details.

--

My setup
TB 2.8.0.4
3 x Cisco 7940
Callcentric SIP Trunk In/Out calls



dickson
Posts: 1831
 Member Since:
2006-06-02
I was able to replicate that
Sat, 02/20/2010 - 5:21am

I was able to replicate that exact same issue. Appears to have resolved itself after i did a framework upgrade as well.



ganeshj_india
Posts: 3
 Member Since:
2010-04-30
help me
Fri, 04/30/2010 - 11:28pm

I have got the same problem
my setup
TB 2.8.0
pls help me



ganeshj_india
Posts: 3
 Member Since:
2010-04-30
yes
Fri, 04/30/2010 - 11:30pm

could you pls explain how u did the framework upgrade



andrew
Posts: 1472
 Member Since:
2006-05-30
You should always update
Tue, 05/04/2010 - 5:01pm

You should always update framework and core at the same time.

PBXconfig -> module admin -> use online repository to update



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.