FreePBX 13: From Cross-Site Scripting to Remote Command Execution

1 Dec 2016 by Hendrik Buchwald

FreePBX

FreePBX is a web-based graphical user interface that helps users to manage voice-over-IP services. According to the creator, there are over one million production systems using FreePBX worldwide and 20,000 new installations monthly 1. It is the most widely deployed open-source PBX (Private Branch Exchange) platform in use across the world.

Recently, the announcement of a critical security vulnerability caught our attention that was fixed in August 2. Since FreePBX is written completely in PHP, we decided to throw it into our code analysis tool RIPS. The results were more than surprising…

Read More ...