FreePBX Security Vulnerability

iconicflux said:
Would anyone out there be interested in my starting a series of weekly security talks aimed at developers so that I can go over vulnerabilities, a walk through of how they work, how their existence means a software security principle has been broken, and how to fix the root cause so it doesn't come back?

This is something that I think more and more people within the Asterisk community would benefit from and I'm hoping the end result would be an understanding of software security principles as well as coding standards for any Asterisk related project.

Kevin
Click to expand...


Very interested. We're still trying to put a conference together. One way or another, we need to make a video so it gets preserved. Thanks for all you do and have done for our project!!!
 
mark-hc said:
Great, your saying now I have to figure why apache crashed and I can't access my machine?

It would probably be faster to format and install "The Incredible PBX".
Click to expand...

Not only faster... but also safer. :wink5:
 
Would anyone out there be interested in my starting a series of weekly security talks aimed at developers so that I can go over vulnerabilities, a walk through of how they work, how their existence means a software security principle has been broken, and how to fix the root cause so it doesn't come back?

This is something that I think more and more people within the Asterisk community would benefit from and I'm hoping the end result would be an understanding of software security principles as well as coding standards for any Asterisk related project.
Click to expand...

Hi

As a serial creator of ISO's, I would be happy to attend/assist.

Joe
 
iconicflux said:
Would anyone out there be interested in my starting a series of weekly security talks aimed at developers so that I can go over vulnerabilities, a walk through of how they work, how their existence means a software security principle has been broken, and how to fix the root cause so it doesn't come back?

This is something that I think more and more people within the Asterisk community would benefit from and I'm hoping the end result would be an understanding of software security principles as well as coding standards for any Asterisk related project.

Kevin
Click to expand...

Definately! They should also be preserved as Ward stated be it Video, Open Office Impress, PDF, podcast, or other format...
 
I checked the Logs of my server and confirmed that it was not hacked. Apache however had a panic attack and froze up. And for some reason Numerous directories had their permissions changed.

I think the root of the problem lies somewhere in all the FreePBX updates that have been happening in the last couple of weeks. Something, somewhere didn't like what was happening.

Instead of trying to bandage the system up, I'm going to spinup the latest "Incredible PBX".
 
iconicflux said:
Would anyone out there be interested in my starting a series of weekly security talks aimed at developers so that I can go over vulnerabilities, a walk through of how they work, how their existence means a software security principle has been broken, and how to fix the root cause so it doesn't come back?

This is something that I think more and more people within the Asterisk community would benefit from and I'm hoping the end result would be an understanding of software security principles as well as coding standards for any Asterisk related project.

Kevin
Click to expand...

Count me in too. Given the time difference I would need the podcast etc. Australia is 'the other side of the world' from almost everywhere. :wink5:
 
Was there ever any forward movement on this? The security "talks," not the exploit.
 
Ward, since today's application of updated 2.7 modules the following error is occuring:
retrieve_conf failed to sym link:
/var/lib/asterisk/bin/retrieve_op_conf_from_mysql.pl
/var/lib/asterisk/bin/retrieve_op_conf_from_mysql.php
This can result in FATAL failures to your PBX. If the target file exists, the symlink will not occur and you should rename the target file to allow the automatic sym link to occur and remove this error, unless this is an intentional customization.
Added 35 minutes ago
(retrieve_conf.SYMLINK)
 
PIAF currently does not endorse FreePBX 2.7. Any upgrade settings are performed by FreePBX as part of the update process so... you probably need to file a bug report in the FreeePBX Bug Tracker.
 
Hi

/var/lib/asterisk/bin/retrieve_op_conf_from_mysql.pl
/var/lib/asterisk/bin/retrieve_op_conf_from_mysql.php
Click to expand...
So it's not just me then. This seemed to occur on a new installation last night using a script I've used for years. I can only assume a glitch in the update process.

Delete these two files, and then edit an extension, trunk whatever, and then press the orange bar at the top of FreePBX, and the symlinks for these two files will be recreated in the /var/lib/asterisk/bin/, and the error message will go away.

Personally, I've found FreePBX 2.7 absolutely fine, and the more people who use the later version and put bug reports, in the better future versions get, not withstanding comments about early adopters and arrows in the back

Joe
 
Good to hear. Does this glitch occur with every upgrade or just sometimes?
 
We have 2.7 boxes running without problems. Including Revos (such cute li'l boxes!)
 
I have updated 4 boxes to 2.7 and beyond and have yet to have this happen - sounds like it was just a fluke to me....
 
i just updated my box and had similar errors. Besides those two files I also got:


/etc/asterisk/sip_notify.conf
/var/www/html/admin/images/delete.gif
 
Have you rebooted the system after the upgrade? Not just an amportal restart.
 
kenn10 said:
Have you rebooted the system after the upgrade? Not just an amportal restart.
Click to expand...


No I didn't. Was I supposed to? I don't remember rebooting after any of the other FreePBX upgrades. I followed the error message instructions and moved the four files off to the side and it corrected the two ...mysql files/links on it's own. It still shows these two files as being errors tho. I'll try rebooting after hours.
 
i just updated my box and had similar errors. Besides those two files I also got:

/etc/asterisk/sip_notify.conf
/var/www/html/admin/images/delete.gif
Click to expand...

It seems to be the endpoint manager module is redirecting these symlinks which conflicts with whatever FreePBX is trying to set the symlinks to.
 
You must log in or register to reply here.

Members online

Total: 64 (members: 2, guests: 62)

Latest Posts

Forum statistics

Threads
26,687
Messages
174,410
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top