2016-07-18 File Delete - Directory Traversal in Delete in Music on Hold

Owned by Nathaniel Halbrooks
Last updated: Jan 31, 2024
1 min read

SEC-2016-004

Overview:

Directory Traversal in Delete in Music on Hold. Requires Administrative login

Discovered By:

Douglas Goddard <douglas(dot)gastonguay(at)gmail(dot)com>

Impact:

CVSS 3 Details:

  • Base Score: 5.0

  • Temporal Score: 4.5

  • Environmental Score: 4.2

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C/CR:L/IR:M/AR:X/MAV:N/MAC:H/MPR:H/MUI:N/MS:U/MC:L/MI:H/MA:N

Vulnerable software and versions:

The versions listed below (or less than)

  • < music v12.0.1

Note: Music in FreePBX 13 is not affected in any version. The following versions of fixes:

  • >= music v12.0.2

Related Information

-N/A

Further Details:

An administrator can delete anything owned by the asterisk user via a directory traversal vulnerability in the hold music deletion feature. This can be accessed from Settings > Music on Hold. You can craft a special request that targets files outside of the hold music dir.

Sangoma strongly encourages all users of FreePBX 12 to upgrade to the latest Music on Hold version. This can be done from the Module Admin GUI or the CLI. For more information on using Module Admin, please see Module Admin User Guide.

Sangoma takes security seriously and request that any future FreePBX security issue be reported at security@freepbx.org.

Return to Documentation Home I Return to Sangoma Support