FreePBX Backup Module page.backup.php 'dir' Parameter RCE

high Nessus Plugin ID 66986

Synopsis

The remote web server hosts a PHP script that allows arbitrary command execution.

Description

The version of FreePBX hosted on the remote web server is affected by a remote command injection vulnerability due to a weakness in the 'strpos' function when sanitizing user-supplied input to the 'dir' parameter in 'page.backup.php'. A remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the remote host, subject to the privileges of the web server user.

Solution

Upgrade FreePBX to version 2.10 or later.

See Also

http://www.nessus.org/u?4a0ff6a5

Plugin Details

Severity: High

ID: 66986

File Name: freepbx_page_backup_command_exec.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 6/26/2013

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:freepbx:freepbx

Required KB Items: www/PHP, installed_sw/FreePBX

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/28/2013

Vulnerability Publication Date: 4/27/2013

Reference Information

BID: 59533