Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2010-3490 to a friend New vulnerability? New tool? Tell us	CVE-2010-3490 FreePBX Recordings Interface Code Execution Vulnerability     Credit: The information has been provided by Wendel G. Henrique. The original article can be found at: http://seclists.org/fulldisclosure/2010/Sep/378 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2010-3490 Details Check for CVE-2010-3490 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * FreePBX version 2.8.0 and below FreePBX doesn't handle file uploads in a secure manner, allowing an attacker to manipulate the file extension and the beginning of the uploaded file name. The piece of code below, found in page.recordings.php, illustrates part of the recordings upload feature. /* Code removed to fit better on advisory */ <?php  if (isset($_FILES['ivrfile']['tmp_name']) &&  is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {    if (empty($usersnum)) {      $dest = "unnumbered-";    } else {      $dest = "{$usersnum}-";    }    $suffix = substr(strrchr($_FILES['ivrfile']['name'], "."), 1);    $destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;    move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);    echo "<h6>"._("Successfully uploaded")."      ".$_FILES['ivrfile']['name']."</h6>";    $rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');  } ?> /* Code removed to fit better on advisory */ When a file is uploaded, a copy is saved temporarily under the /tmp/ directory, where the name of the file is composed of user-controlled-staticname.extension, where: "user-controlled" is $usersnum variable. "staticname" value is -ivrrecording. "extension" is controlled by the user. If $usersnum variable is not defined, then a static string (unnumbered) is used. Finally, when the user clicks on the save button on the System Recordings interface, the file is saved with the original file name provided by the user under the /var/lib/asterisk/sounds/custom/ directory. When uploading a file, an attacker can manipulate the $usersnum variable to perform a path traversal attack and save it anyplace that the web server user has access, for example the Apache's DocumentRoot. This allows an attacker to upload malicious code to the web server and execute it under the webserver's access permissions. Patch Availability: The maintainer has released a patch to address this issue for all versions of the software 2.3 and newer. Details of the patch can be found here: http://www.freepbx.org/trac/ticket/4553 CVE Information: CVE-2010-3490 Disclosure Timeline: 08/13/10 - Initial contact 08/18/10 - Vulnerability disclosed 09/23/10 - Advisory public release  Comments on CVE-2010-3490:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®