Headline
CVE-2019-16986: FusionPBX Path traversal 2
In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized “f” variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)
Skip to content
An authenticated user can download any file of the system through a URL of FusionPBX 4.5.7 specifically crafted.
In FusionPBX up to v4.5.7, file resources\download.php uses an unsanitized “f” variable coming from the URL which takes any file path of the system and allows to download it.
Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=2e4784b2-721e-4a15-8bef-962a3936aee1
Fix: https://github.com/fusionpbx/fusionpbx/commit/9c61191049c949e01f99ea1fbab1feb44709e108
https://github.com/fusionpbx/fusionpbx/commit/9482d9ee0e4287df21339be4276125e38e048951
Issue was reported by Pierre Jourdan on 10/08/2019 and fixed on 11/08/2019 by removing the php files completely by Mark J Crane.
CVE published, NVD base score is 6.5 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16986
https://nvd.nist.gov/vuln/detail/CVE-2019-16986