FusionPBX Path traversal 2

An authenticated user can download any file of the system through a URL of FusionPBX 4.5.7 specifically crafted.

In FusionPBX up to v4.5.7, file resources\download.php uses an unsanitized “f” variable coming from the URL which takes any file path of the system and allows to download it.

 

Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=2e4784b2-721e-4a15-8bef-962a3936aee1
Fix: https://github.com/fusionpbx/fusionpbx/commit/9c61191049c949e01f99ea1fbab1feb44709e108
https://github.com/fusionpbx/fusionpbx/commit/9482d9ee0e4287df21339be4276125e38e048951

Issue was reported by Pierre Jourdan on 10/08/2019 and fixed on 11/08/2019 by removing the php files completely by Mark J Crane.

 

CVE published, NVD base score is 6.5 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16986
https://nvd.nist.gov/vuln/detail/CVE-2019-16986

Advertisement
Privacy Settings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s