FreePBX 2.9/2.10/2.11/2.12 view.functions.php usersnum access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.6 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in FreePBX 2.9/2.10/2.11/2.12 and classified as critical. The affected element is the function usersnum in the library admin/libraries/view.functions.php of the file view.functions.php. The manipulation leads to access control.
This vulnerability is documented as CVE-2014-1903. Additionally, an exploit exists.
To fix this issue, it is recommended to deploy a patch.
Details
A vulnerability was found in FreePBX 2.9/2.10/2.11/2.12. It has been rated as critical. This issue affects the function usersnum in the library admin/libraries/view.functions.php of the file view.functions.php. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.
The weakness was released 02/24/2014 by i-Hmx as confirmed advisory (Website). It is possible to read the advisory at freepbx.org. The identification of this vulnerability is CVE-2014-1903 since 02/07/2014. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details as well as a public exploit are known. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.
A public exploit has been developed by @0x00string (i-Hmx) and been published immediately after the advisory. The exploit is available at securityfocus.com. It is declared as highly functional. By approaching the search of inurl:view.functions.php it is possible to find vulnerable targets with Google Hacking. The commercial vulnerability scanner Qualys is able to test this issue with plugin 12902 (FreePBX Remote Code Execution Vulnerability).
Upgrading to version 2.9.0.14, 2.10.1.15, 2.11.0.23 or 12.0.1alpha22 eliminates this vulnerability. The upgrade is hosted for download at freepbx.org. Applying a patch is able to eliminate this problem. The best possible mitigation is suggested to be patching the affected component. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 16311.
The vulnerability is also documented in the databases at X-Force (91491), Exploit-DB (32214), SecurityFocus (BID 65756†), OSVDB (103240†) and Vulnerability Center (SBV-44011†). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.6
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Highly functional
Author: @0x00string (i-Hmx)
Download: 🔍
Google Hack: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Saint ID: exploit_info/freepbx_config
Saint Name: FreePBX Framework Module view.functions.php Remote Code Execution
Qualys ID: 🔍
Qualys Name: 🔍
MetaSploit ID: freepbx_config_exec.rb
MetaSploit Name: FreePBX config.php Remote Code Execution
MetaSploit File: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Exploit Delay Time: 🔍
Upgrade: FreePBX 2.9.0.14/2.10.1.15/2.11.0.23/12.0.1alpha22
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
ISS Proventia IPS: 🔍
Fortigate IPS: 🔍
Timeline
02/06/2014 🔍02/07/2014 🔍
02/18/2014 🔍
02/23/2014 🔍
02/24/2014 🔍
02/24/2014 🔍
03/06/2014 🔍
03/12/2014 🔍
04/13/2014 🔍
02/01/2025 🔍
Sources
Advisory: freepbx.orgResearcher: i-Hmx
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2014-1903 (🔍)
GCVE (CVE): GCVE-0-2014-1903
GCVE (VulDB): GCVE-100-12491
X-Force: 91491 - FreePBX view.functions.php code execution, High Risk
SecurityFocus: 65756 - FreePBX 'usersnum' Parameter Remote Command Execution Vulnerability
OSVDB: 103240
Vulnerability Center: 44011 - FreePBX 2.9, 2.10, 2.11, 2.12 Remote Code Execution Vulnerability via Config.php, High
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 03/06/2014 13:55Updated: 02/01/2025 13:13
Changes: 03/06/2014 13:55 (84), 05/25/2017 10:22 (6), 12/20/2024 03:38 (18), 02/01/2025 13:13 (7)
Complete: 🔍
Committer:
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.