CVE-2014-1903
published 2014-02-18CVE-2014-1903: admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict…
PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
52.19%
98.8th percentile
admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| sangoma | freepbx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on HTTP requests to /admin/config.php where the 'function' parameter contains PHP code execution functions such as 'passthru', 'system', 'exec', 'shell_exec', etc. The default Metasploit module uses 'passthru'. ↗
- →The exploit sends a GET request with query parameters: display=<random>, handler=api, function=<phpfunc>, args=<payload>. Correlate these four parameters appearing together in a single request as a high-confidence indicator. ↗
- ·The exploit requires no authentication — the vulnerable handler is reachable without a valid session, so network-layer controls blocking unauthenticated access to /admin/ are the primary mitigation. ↗
- ·The Metasploit module uses ARCH_CMD and platform 'unix', meaning payloads are OS command strings passed to the PHP execution function — detection rules should account for URL-encoded shell commands in the 'args' parameter. ↗
- ·The PoC exploit uses a raw HTTP GET (not a standard HTTP/1.1 request with Host header), which may bypass some WAF/proxy normalisation — validate that detection covers both raw and well-formed HTTP requests to the target path. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
FreePBX - 'config.php' Remote Code Execution (Metasploit)
exploitdb·2014-03-25
CVE-2014-1903 FreePBX - 'config.php' Remote Code Execution (Metasploit)
FreePBX - 'config.php' Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "FreePBX config.php Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11.
It's possible to inject arbitrary PHP functions and commands in the "/admin/config.php"
parameters "function" and "args".
},
'License' => MSF_LICENSE,
'Author' =>
[
'i-Hmx', # Vulnerability discovery
'0x00string', # PoC
'xistence ' # Metasploit module
],
'References' =>
[
['CVE', '2014-1903'],
['OSVDB', '103240'],
['EDB', '32214'],
['URL', 'http://issues.freepbx.org/browse/FREEPBX-7123']
],
'Platform' => 'unix
Exploit-DB
FreePBX 2.11.0 - Remote Command Execution
exploitdb·2014-03-12·CVSS 7.5
CVE-2014-1903 [HIGH] FreePBX 2.11.0 - Remote Command Execution
FreePBX 2.11.0 - Remote Command Execution
---
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::INET;
# Exploit Title: FreePBX 2.9,2.10,2.11,12 Remote Command Execution
# Google Dork: n/a
# Date: 2/25/14
# Exploit Author: @0x00string
# Vendor Homepage: http://www.freepbx.org/
# Software Link: http://mirror.freepbx.org/freepbx-2.11.0.tar.gz
# Version: 2.11 tested working
# Tested on: Ubuntu 12.04, 13.10
# CVE : CVE-2014-1903
# References:
# http://seclists.org/bugtraq/2014/Feb/42
# http://issues.freepbx.org/browse/FREEPBX-7123
# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1903
#
# Developer Advisory:
# http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice
# in /admin/config.php
# // handle special requests
# if (!isset($no_auth) && isset($_REQUEST[
Metasploit
FreePBX config.php Remote Code Execution
metasploit
FreePBX config.php Remote Code Execution
FreePBX config.php Remote Code Execution
This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11. It's possible to inject arbitrary PHP functions and commands in the "/admin/config.php" parameters "function" and "args".
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0097.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2014-02/0111.htmlhttp://code.freepbx.org/changelog/FreePBX_Framework?cs=a29382efeb293ef4f42aa9b841dfc8eabb2d1e03http://code.freepbx.org/changelog/FreePBX_SVN?cs=16429http://issues.freepbx.org/browse/FREEPBX-7117http://issues.freepbx.org/browse/FREEPBX-7123http://osvdb.org/103240http://packetstormsecurity.com/files/125166/FreePBX-2.x-Code-Execution.htmlhttp://packetstormsecurity.com/files/125215/FreePBX-2.9-Remote-Code-Execution.htmlhttp://www.freepbx.org/news/2014-02-06/security-vulnerability-noticehttp://www.securityfocus.com/archive/1/531040/100/0/threadedhttps://github.com/0x00string/oldays/blob/master/CVE-2014-1903.plhttp://archives.neohapsis.com/archives/fulldisclosure/2014-02/0097.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2014-02/0111.htmlhttp://code.freepbx.org/changelog/FreePBX_Framework?cs=a29382efeb293ef4f42aa9b841dfc8eabb2d1e03http://code.freepbx.org/changelog/FreePBX_SVN?cs=16429http://issues.freepbx.org/browse/FREEPBX-7117http://issues.freepbx.org/browse/FREEPBX-7123http://osvdb.org/103240http://packetstormsecurity.com/files/125166/FreePBX-2.x-Code-Execution.htmlhttp://packetstormsecurity.com/files/125215/FreePBX-2.9-Remote-Code-Execution.htmlhttp://www.freepbx.org/news/2014-02-06/security-vulnerability-noticehttp://www.securityfocus.com/archive/1/531040/100/0/threadedhttps://github.com/0x00string/oldays/blob/master/CVE-2014-1903.pl
2014-02-18
Published