ALERT MOH Vulnerability in FreePBX

kenn10

kenn10

Well-Known Member
Joined
Dec 16, 2007
Messages
4,638
Reaction score
3,005
community.freepbx.org

Authenticated Remote Code Execution in FreePBX Music on Hold (MoH) Module

Summary The FreePBX Music on Hold (MoH) module contains a critical security flaw that allows authenticated attackers to execute arbitrary system commands with the privileges of the Asterisk service. Authentication with an existing FreePBX administrator account is required. Common...
community.freepbx.org community.freepbx.org

github.com

Authenticated Remote Code Execution in FreePBX Music on Hold (MoH) Module

### Summary The FreePBX Music on Hold (MoH) module contains a critical security flaw that allows authenticated attackers to execute arbitrary system commands with the privileges of the Asterisk ...
github.com github.com
 
I'm confused about this vulnerability. I thought it was a feature that you could define any application in MOH as a music source. Apparently it is both a vulnerability and a feature. Is it naive of me to think that if you are an admin user you should be allowed to do these kinds of... admin things?
 
billsimon said:
I'm confused about this vulnerability. I thought it was a feature that you could define any application in MOH as a music source. Apparently it is both a vulnerability and a feature. Is it naive of me to think that if you are an admin user you should be allowed to do these kinds of... admin things?
Click to expand...
The issue is there's no validation of expected formats, I guess. So you could enter a harmful line that would be executed.
 
You must log in or register to reply here.

Members online

Total: 36 (members: 4, guests: 32)

Latest Posts

Forum statistics

Threads
26,695
Messages
174,449
Members
20,264
Latest member
TRENT310
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top