Re: Freepbx

[Marsh Ray <marsh () extendedsubset com>]

On 09/22/2010 11:17 AM, Tyler Borland wrote:
> Hello Marsh,
>
> I had found one of the previous holes.
> http://seclists.org/fulldisclosure/2010/Jul/180

Yep. After having seen that, I figured that people actually would be 
interested in bugs in this codebase. So I posted here.

> Don't forget to check out the includes for that file.
> http://www.freepbx.org/trac/browser/freepbx/trunk/amp_conf/htdocs/admin/cdr/lib/defines.php?rev=10274

That 'getpost_ifset' is pure magic, isn't it? :-)

Between that, the 'posted=1' hidden input, and the near absence of SQL 
escaping, I wonder if this code was really made with any security at all 
in mind. That's not necessarily wrong, I believe there's a time and a 
place for test code and code that assumes its running only on a trusted 
LAN (though the query string handling in this case would mean that no 
admin on the LAN could safely browse the web either).

The vulnerability arises when that code makes it onto production 
systems. Unlike a lot of the deeper and more interesting classes of 
bugs, this is one of those things where just a little bit of a formal 
development process can go a long way towards prevention.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/