Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-1903

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2014-1903
Last Modified 21 Feb 2014 12:06:46
Published 18 Feb 2014 06:55:16
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2014-1903

Summary

admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.

Vulnerable Systems

Application

  • Freepbx 2.10

  • Freepbx 2.11

  • Freepbx 2.12

  • Freepbx 2.9


References

CONFIRM - http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice

CONFIRM - http://issues.freepbx.org/browse/FREEPBX-7123

CONFIRM - http://issues.freepbx.org/browse/FREEPBX-7117

CONFIRM - http://code.freepbx.org/changelog/FreePBX_SVN?cs=16429

CONFIRM - http://code.freepbx.org/changelog/FreePBX_Framework?cs=a29382efeb293ef4f42aa9b841dfc8eabb2d1e03

FULLDISC - 20140211 Re: Freepbx , php code execution exploit

FULLDISC - 20140211 Freepbx , php code execution exploit

BUGTRAQ - 20140211 [CVE-2014-1903] FreePBX 2.9 through 12 RCE

MISC - http://packetstormsecurity.com/files/125215/FreePBX-2.9-Remote-Code-Execution.html

MISC - http://packetstormsecurity.com/files/125166/FreePBX-2.x-Code-Execution.html

OSVDB - 103240


Last Updated: 27 May 2016 11:04:30