Author: PJ

FusionPBX Path traversal 6

An authenticated user can rename any file of the system through a URL of FusionPBX 4.5.7 specifically crafted.

In FusionPBX up to v4.5.7, file app\edit\filerename.php uses unsanitized “folder”,”filename”, and “newfilename” variables coming from the URL allows to rename any file of the system.

Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=05956113-9485-497a-9ed8-100ca70dabd7
Fix: https://github.com/fusionpbx/fusionpbx/commit/1a88ca61a744914d3336cc15a40fb3edbcde9085

Issue was reported by Pierre Jourdan on 15/08/2019 and fixed by Mark J Crane.

 

FusionPBX Path traversal 5

An authenticated user can create a folder of the system through a URL of FusionPBX 4.5.7 specifically crafted.

In FusionPBX up to v4.5.7, file app\edit\foldernew.php uses an unsanitized “folder” variable coming from the URL allows to create a folder anywhere in the system.

 

Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=28cf4e9c-13c4-4ff9-8c1f-5e355f06ed1f
Fix: https://github.com/fusionpbx/fusionpbx/commit/cad71240dee2a82cd5766dd67039a87849031aaa

Issue was reported by Pierre Jourdan on 15/08/2019 and fixed by Mark J Crane.

 

FusionPBX Path traversal 4

An authenticated user can delete any folder of the system through a URL of FusionPBX 4.5.7 specifically crafted.

In FusionPBX up to v4.5.7, file app\edit\folderdelete.php uses an unsanitized “folder” variable coming from the URL allows to delete any folder of the system.

 

Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=d7a37592-f07b-4aa4-92ca-5c4f7886b7c5
Fix: https://github.com/fusionpbx/fusionpbx/commit/026c3958c3c7ca6b2ff067addc991aac8f41cf11

Issue was reported by Pierre Jourdan on 13/08/2019 and fixed on same day by Mark J Crane.

 

FusionPBX XSS 22

An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.

In FusionPBX up to v4.5.7, file app\devices\device_imports.php uses an unsanitized “query_string” variable coming from the URL which is reflected in HTML leading to XSS.

 

Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=54c0b510-d075-4703-9be4-0505a3e9114b
Fix: https://github.com/fusionpbx/fusionpbx/commit/2ce613f1e9fe8ffab7a4cb9d1384444622285335

Issue was reported by Pierre Jourdan on 10/08/2019 and fixed by Mark J Crane.