cbcvebase.
CVE-2014-1903
published 2014-02-18

CVE-2014-1903: admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict…

PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
52.19%
98.8th percentile
admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.

Affected

4 ranges
VendorProductVersion rangeFixed in
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
sangomafreepbx

Detection & IOCsextracted from sources · hover to see the quote

url/admin/config.php?display=A&handler=api&file=A&module=A&function=<func>&args=<args>
path/admin/config.php
path/admin/libraries/view.functions.php
  • Alert on HTTP requests to /admin/config.php where the 'function' parameter contains PHP code execution functions such as 'passthru', 'system', 'exec', 'shell_exec', etc. The default Metasploit module uses 'passthru'.
  • The exploit sends a GET request with query parameters: display=<random>, handler=api, function=<phpfunc>, args=<payload>. Correlate these four parameters appearing together in a single request as a high-confidence indicator.
  • ·The exploit requires no authentication — the vulnerable handler is reachable without a valid session, so network-layer controls blocking unauthenticated access to /admin/ are the primary mitigation.
  • ·The Metasploit module uses ARCH_CMD and platform 'unix', meaning payloads are OS command strings passed to the PHP execution function — detection rules should account for URL-encoded shell commands in the 'args' parameter.
  • ·The PoC exploit uses a raw HTTP GET (not a standard HTTP/1.1 request with Host header), which may bypass some WAF/proxy normalisation — validate that detection covers both raw and well-formed HTTP requests to the target path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.