In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)

Skip to content

An authenticated user can download any file of the system through a URL of FusionPBX 4.5.7 specifically crafted.

In FusionPBX up to v4.5.7, file resources\\download.php uses an unsanitized “f” variable coming from the URL which takes any file path of the system and allows to download it.

Bug ID: https://www.fusionpbx.com/app/tickets/ticket\_edit.php?id=2e4784b2-721e-4a15-8bef-962a3936aee1  
Fix: https://github.com/fusionpbx/fusionpbx/commit/9c61191049c949e01f99ea1fbab1feb44709e108  
https://github.com/fusionpbx/fusionpbx/commit/9482d9ee0e4287df21339be4276125e38e048951

Issue was reported by Pierre Jourdan on 10/08/2019 and fixed on 11/08/2019 by removing the php files completely by Mark J Crane.

CVE published, NVD base score is 6.5 **MEDIUM**:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16986  
https://nvd.nist.gov/vuln/detail/CVE-2019-16986

CVE-2019-16986: FusionPBX Path traversal 2

In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system.

Skip to content

An authenticated user can delete any file of the system through a URL of FusionPBX 4.5.7 specifically crafted.

In FusionPBX up to v4.5.7, file app\\xml\_cdr\\xml\_cdr\_delete.php uses an unsanitized “rec” variable coming from the URL which is base64 decoded and allows to delete any file of the system.

Bug ID: https://www.fusionpbx.com/app/tickets/ticket\_edit.php?id=bee80ee5-8c44-4c13-9ebb-3424177aa8db  
Fix: https://github.com/fusionpbx/fusionpbx/commit/284b0a91968f126fd6be0a486a84e065926905ca

Issue was reported by Pierre Jourdan on 13/08/2019 and fixed on same day by Mark J Crane.

CVE published, NVD base score is 6.5 **MEDIUM**:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16985  
https://nvd.nist.gov/vuln/detail/CVE-2019-16985

CVE-2019-16985: FusionPBX Path traversal 1

In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php uses an unsanitized "filename" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS.

@@ -17,7 +17,7 @@

The Initial Developer of the Original Code is

Mark J Crane <markjcrane@fusionpbx.com>

Portions created by the Initial Developer are Copyright (C) 2008-2016

Portions created by the Initial Developer are Copyright (C) 2008-2019

the Initial Developer. All Rights Reserved.

Contributor(s):

@@ -37,7 +37,8 @@

echo "access denied";

exit;

}

  

  

//get the variables

$filename = $\_GET\['filename'\];

$type = $\_GET\['type'\]; //moh //rec

  

@@ -51,7 +52,7 @@

<table width\="100%" border\="0" cellpadding\="0" cellspacing\="0"\>

<tr\>

<td align\='center'\>

<b\>file: <?php echo $filename ?></b\>

<b\><?php echo escape($filename) ?></b\>

</td\>

</tr\>

<tr\>

@@ -69,7 +70,7 @@

}

else {

echo "<audio src=\\"http://localhost:8000/mod/recordings/recordings.php?a=download&type=".urlencode($type)."&filename=".urlencode($filename)."\\" autoplay=\\"autoplay\\"\></audio>";

echo "<embed src=\\"recordings.php?a=download&type=".urlencode($type)."&filename=".urlencode($filename)."\\" autostart=\\"true\\" width=\\"300\\" height=\\"90\\" name=\\"sound\_".$filename."\\" enablejavascript=\\"true\\"\>\\n";

echo "<embed src=\\"recordings.php?a=download&type=".urlencode($type)."&filename=".urlencode($filename)."\\" autostart=\\"true\\" width=\\"300\\" height=\\"90\\" name=\\"sound\_".escape($filename)."\\" enablejavascript=\\"true\\"\>\\n";

}

}

if ($file\_ext == "mp3") {

CVE-2019-16984: Update recording_play.php · fusionpbx/fusionpbx@11f2dd2

In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS.

@@ -39,6 +39,40 @@ function paging($num\_rows, $param, $rows\_per\_page, $mini = false, $result\_count $page\_number = 0; }  
//sanitize the parameters $sanitized\_parameters = ''; if (isset($param) && strlen($param) > 0) { $param\_array = explode("&", $param); if (is\_array($param\_array)) { foreach($param\_array as $row) { $param\_sub\_array = explode("\=", $row); $key = preg\_replace('#\[^a-zA-Z0-9\_\\-\]#', '', $param\_sub\_array\['0'\]); $value = urldecode($param\_sub\_array\['1'\]); if ($key == 'order\_by' && strlen($value) > 0) { //validate order by $sanitized\_parameters .= "&order\_by=". preg\_replace('#\[^a-zA-Z0-9\_\\-\]#', '', $value); } elseif ($key == 'order' && strlen($value) > 0) { //validate order switch ($value) { case 'asc': $sanitized\_parameters .= "&order=asc"; break; case 'desc': $sanitized\_parameters .= "&order=desc"; break; } } elseif (strlen($value) > 0 && is\_numeric($value)) { $sanitized\_parameters .= "&".$key."\=".$value; } else { $sanitized\_parameters .= "&".$key."\=".urlencode($value); } } } }  
//get the offset $offset = ($page\_number - 1) \* $rows\_per\_page;  
@@ -51,8 +85,8 @@ function paging($num\_rows, $param, $rows\_per\_page, $mini = false, $result\_count $language = new text; $text = $language\->get();  
// print the link to access each page $self = $\_SERVER\['PHP\_SELF'\]; //print the link to access each page $self = escape($\_SERVER\['PHP\_SELF'\]); $nav = ''; for($page = 1; $page <= $max\_page; $page++){ if ($page == $page\_number) { @@ -64,21 +98,21 @@ function paging($num\_rows, $param, $rows\_per\_page, $mini = false, $result\_count }  
if ($page\_number > 0) { $page = $page\_number - 1; $prev = "<input class='btn' type='button' value='".$text\['button-back'\]."' alt='".($page+1)."' title='".($page+1)."' onClick=\\"window.location = '".$self."?page=$page".$param."';\\"\>\\n"; //&#9664; $first = "<input class='btn' type='button' value='".$text\['button-next'\]."' onClick=\\"window.location = '".$self."?page=1".$param."';\\"\>\\n"; //&#9650; $page = $page\_number - 1; $prev = "<input class='btn' type='button' value='".$text\['button-back'\]."' alt='".($page+1)."' title='".($page+1)."' onClick=\\"window.location = '".$self."?page=".$page.$sanitized\_parameters."';\\"\>\\n"; //&#9664; $first = "<input class='btn' type='button' value='".$text\['button-next'\]."' onClick=\\"window.location = '".$self."?page=1".$sanitized\_parameters."';\\"\>\\n"; //&#9650; } else { $prev = "<input class='btn' type='button' disabled value='".$text\['button-back'\]."' style='opacity: 0.4; -moz-opacity: 0.4; cursor: default;'>\\n"; //&#9664; }  
if (($page\_number + 1) < $max\_page) { $page = $page\_number + 1; $next = "<input class='btn' type='button' value='".$text\['button-next'\]."' alt='".($page+1)."' title='".($page+1)."' onClick=\\"window.location = '".$self."?page=$page".$param."';\\"\>\\n"; //&#9654; $last = "<input class='btn' type='button' value='".$text\['button-back'\]."' onClick=\\"window.location = '".$self."?page=$max\_page".$param."';\\"\>\\n"; //&#9660; $page = $page\_number + 1; $next = "<input class='btn' type='button' value='".$text\['button-next'\]."' alt='".($page+1)."' title='".($page+1)."' onClick=\\"window.location = '".$self."?page=".$page.$sanitized\_parameters."';\\"\>\\n"; //&#9654; $last = "<input class='btn' type='button' value='".$text\['button-back'\]."' onClick=\\"window.location = '".$self."?page=".$max\_page.$sanitized\_parameters."';\\"\>\\n"; //&#9660; } else { $last = "<input class='btn' type='button' value='".$text\['button-next'\]."' onClick=\\"window.location = '".$self."?page=$max\_page".$param."';\\"\>\\n"; //&#9660; $last = "<input class='btn' type='button' value='".$text\['button-next'\]."' onClick=\\"window.location = '".$self."?page=".$max\_page.$sanitized\_parameters."';\\"\>\\n"; //&#9660; $next = "<input class='btn' type='button' disabled value='".$text\['button-next'\]."' style='opacity: 0.4; -moz-opacity: 0.4; cursor: default;'>\\n"; //&#9654; }  
@@ -123,7 +157,7 @@ function paging($num\_rows, $param, $rows\_per\_page, $mini = false, $result\_count "// action to peform when enter is hit\\n". "if (page\_num < 1) { page\_num = 1; }\\n". "if (page\_num > ".$max\_page.") { page\_num = ".$max\_page."; }\\n". "document.location.href = '".$self."?page='+(--page\_num)+'".$param."';\\n". "document.location.href = '".$self."?page='+(--page\_num)+'".$sanitized\_parameters."';\\n". "}\\n". "}\\n". "</script>\\n";

CVE-2019-16983: Update paging.php · fusionpbx/fusionpbx@23581e5

In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.

@@ -13,7 +13,7 @@

The Original Code is FusionPBX

The Initial Developer of the Original Code is

Mark J Crane <markjcrane@fusionpbx.com>

Portions created by the Initial Developer are Copyright (C) 2018

Portions created by the Initial Developer are Copyright (C) 2019

the Initial Developer. All Rights Reserved.

Contributor(s):

Mark J Crane <markjcrane@fusionpbx.com>

@@ -26,7 +26,8 @@

  

//check permissions

if (!permission\_exists('access\_control\_node\_view')) {

echo "access denied"; exit;

echo "access denied";

exit;

}

  

//add multi-lingual support

@@ -87,7 +88,7 @@

echo th\_order\_by('node\_description', $text\['label-node\_description'\], $order\_by, $order);

echo "<td class='list\_control\_icons'>";

if (permission\_exists('access\_control\_node\_add')) {

echo "<a href='access\_control\_node\_edit.php?access\_control\_uuid=".escape($\_GET\['id'\])."' alt='".$text\['button-add'\]."'>$v\_link\_label\_add</a>";

echo "<a href='access\_control\_node\_edit.php?access\_control\_uuid=".urlencode($\_GET\['id'\])."' alt='".$text\['button-add'\]."'>$v\_link\_label\_add</a>";

}

else {

echo "&nbsp;\\n";

@@ -98,7 +99,7 @@

if (is\_array($access\_control\_nodes)) {

foreach($access\_control\_nodes as $row) {

if (permission\_exists('access\_control\_node\_edit')) {

$tr\_link = "href='access\_control\_node\_edit.php?access\_control\_uuid=".escape($row\['access\_control\_uuid'\])."&id=".escape($row\['access\_control\_node\_uuid'\])."'";

$tr\_link = "href='access\_control\_node\_edit.php?access\_control\_uuid=".urlencode($row\['access\_control\_uuid'\])."&id=".urlencode($row\['access\_control\_node\_uuid'\])."'";

}

echo "<tr ".$tr\_link."\>\\n";

echo " <td valign='top' class='".$row\_style\[$c\]."'>".escape($row\['node\_type'\])."&nbsp;</td>\\n";

@@ -107,10 +108,10 @@

echo " <td valign='top' class='".$row\_style\[$c\]."'>".escape($row\['node\_description'\])."&nbsp;</td>\\n";

echo " <td class='list\_control\_icons'>";

if (permission\_exists('access\_control\_node\_edit')) {

echo "<a href='access\_control\_node\_edit.php?access\_control\_uuid=".escape($row\['access\_control\_uuid'\])."&id=".escape($row\['access\_control\_node\_uuid'\])."' alt='".$text\['button-edit'\]."'>$v\_link\_label\_edit</a>";

echo "<a href='access\_control\_node\_edit.php?access\_control\_uuid=".urlencode($row\['access\_control\_uuid'\])."&id=".urlencode($row\['access\_control\_node\_uuid'\])."' alt='".$text\['button-edit'\]."'>$v\_link\_label\_edit</a>";

}

if (permission\_exists('access\_control\_node\_delete')) {

echo "<a href='access\_control\_node\_delete.php?access\_control\_uuid=".escape($row\['access\_control\_uuid'\])."&id=".escape($row\['access\_control\_node\_uuid'\])."' alt='".$text\['button-delete'\]."' onclick=\\"return confirm('".$text\['confirm-delete'\]."')\\"\>$v\_link\_label\_delete</a>";

echo "<a href='access\_control\_node\_delete.php?access\_control\_uuid=".urlencode($row\['access\_control\_uuid'\])."&id=".urlencode($row\['access\_control\_node\_uuid'\])."' alt='".$text\['button-delete'\]."' onclick=\\"return confirm('".$text\['confirm-delete'\]."')\\"\>$v\_link\_label\_delete</a>";

}

echo " </td>\\n";

echo "</tr>\\n";

@@ -122,7 +123,7 @@

echo "</table>\\n";

if (permission\_exists('access\_control\_node\_add')) {

echo "<div style='float: right;'>\\n";

echo " <a href='access\_control\_node\_edit.php?access\_control\_uuid=".escape($\_GET\['id'\])."' alt='".$text\['button-add'\]."'>$v\_link\_label\_add</a>";

echo " <a href='access\_control\_node\_edit.php?access\_control\_uuid=".urlencode($\_GET\['id'\])."' alt='".$text\['button-add'\]."'>$v\_link\_label\_add</a>";

echo "</div>\\n";

}

echo "<br />\\n";

CVE-2019-16982: Update access_control_nodes.php · fusionpbx/fusionpbx@c9f87dc

In FusionPBX up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.

Skip to content

An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.

In FusionPBX up to v4.5.7, file app\\conferences\_active\\conference\_interactive.php uses an unsanitized “c” variable coming from the URL which is reflected in HTML leading to XSS.

Bug ID: https://www.fusionpbx.com/app/tickets/ticket\_edit.php?id=e7d9acc9-d629-4f7c-adef-dd95344fdb9f  
Fix: https://github.com/fusionpbx/fusionpbx/commit/83123e314a2e4c2dd0815446f89bcad97278d98d

Issue was reported by Pierre Jourdan on 10/08/2019 and fixed on same day by Mark J Crane.

CVE published, NVD base score is 6.1 **MEDIUM**:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16989  
https://nvd.nist.gov/vuln/detail/CVE-2019-16989

CVE-2019-16989: FusionPBX XSS 19

In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources\content.php uses an unsanitized "eavesdrop_dest" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.

Skip to content

An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.

In FusionPBX up to v4.5.7, file app\\basic\_operator\_panel\\resources\\content.php uses an unsanitized “eavesdrop\_dest” variable coming from the URL which is reflected on 3 occasions in HTML leading to XSS.

Bug ID: https://www.fusionpbx.com/app/tickets/ticket\_edit.php?id=15d02f7a-3dc0-441a-ac70-e09f95817004  
Fix: https://github.com/fusionpbx/fusionpbx/commit/7fec1014ff0d08e36be6a3f7664edb3a9df7b4ac

Issue was reported by Pierre Jourdan on 10/08/2019 and fixed on same day by Mark J Crane.

CVE published, NVD base score is 6.1 **MEDIUM**:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16988  
https://nvd.nist.gov/vuln/detail/CVE-2019-16988

CVE-2019-16988: FusionPBX XSS 18

In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.

Skip to content

An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.

In FusionPBX up to v4.5.7, file app\\contacts\\contact\_import.php uses an unsanitized “query\_string” variable coming from the URL which is reflected in HTML leading to XSS.

Bug ID: https://www.fusionpbx.com/app/tickets/ticket\_edit.php?id=6435167c-0960-47ea-a8c9-b3f46611b25d  
Fix: https://github.com/fusionpbx/fusionpbx/commit/ccdb27536d3549b5c0c317e3665fff231631ec77

Issue was reported by Pierre Jourdan on 10/08/2019 and fixed on 13/08/2019 by Mark J Crane.

CVE published, NVD base score is 6.1 **MEDIUM**:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16987  
https://nvd.nist.gov/vuln/detail/CVE-2019-16987

CVE-2019-16987: FusionPBX XSS 17

In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS.

@@ -81,7 +81,7 @@

echo " <td>".$text\['label-path'\]."</td>";

echo " </tr>";

echo " <tr>";

echo " <td>".$folder."</td>";

echo " <td>".escape($folder)."</td>";

echo " </tr>";

echo " </table>";

echo " <br />";

@@ -90,11 +90,11 @@

echo " <td>".$text\['label-file-name'\]."</td>";

echo " </tr>";

echo " <tr>";

echo " <td><input type='text' name='file' value='".$file."'></td>";

echo " <td><input type='text' name='file' value='".escape($file)."'></td>";

echo " </tr>";

echo " <tr>";

echo " <td colspan='1' align='right'>";

echo " <input type='hidden' name='folder' value='$folder'>";

echo " <input type='hidden' name='folder' value='".escape($folder)."'>";

echo " <input type='hidden' name='token' id='token' value='". $\_SESSION\['token'\]. "'>";

echo " <input type='submit' value='".$text\['button-del-file'\]."'>";

echo " </td>";

@@ -106,5 +106,4 @@

//include the footer

require\_once "footer.php";

}

  

?>

CVE-2019-16991: Update filedelete.php · fusionpbx/fusionpbx@cd4632b

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

Timestamp:

10/14/2019 03:38:14 PM (3 years ago)

whyisjake

Message:

Administration: Ensure that admin referer nonce is valid.  

Coding standards, ensure that nonce is valid with identical, rather then equal operator.  

Props vortfu, xknown, whyisjake.  

Location:

trunk

Files:

  

*   src/wp-includes/pluggable.php (2 diffs)
*   tests/phpunit/tests/auth.php (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **trunk/src/wp-includes/pluggable.php**
    
    r46472
    
    r46477
    
     
    
    1107
    
    1107
    
         \*/
    
    1108
    
    1108
    
        function check\_admin\_referer( $action = -1, $query\_arg = '\_wpnonce' ) {
    
    1109
    
     
    
            if ( -1 == $action ) {
    
     
    
    1109
    
            if ( -1 ==\= $action ) {
    
    1110
    
    1110
    
                \_doing\_it\_wrong( \_\_FUNCTION\_\_, \_\_( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
    
    1111
    
    1111
    
            }
    
    …
    
    …
    
     
    
    1126
    
    1126
    
            do\_action( 'check\_admin\_referer', $action, $result );
    
    1127
    
    1127
    
    1128
    
     
    
            if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
    
     
    
    1128
    
            if ( ! $result && ! ( -1 ==\= $action && strpos( $referer, $adminurl ) === 0 ) ) {
    
    1129
    
    1129
    
                wp\_nonce\_ays( $action );
    
    1130
    
    1130
    
                die();
    
*   **trunk/tests/phpunit/tests/auth.php**
    
    r45717
    
    r46477
    
     
    
    25
    
    25
    
            self::$user\_id = self::$\_user->ID;
    
    26
    
    26
    
    27
    
     
    
            require\_once( ABSPATH . WPINC . '/class-phpass.php' );
    
     
    
    27
    
            require\_once ABSPATH . WPINC . '/class-phpass.php';
    
    28
    
    28
    
            self::$wp\_hasher = new PasswordHash( 8, true );
    
    29
    
    29
    
        }
    
    …
    
    …
    
     
    
    166
    
    166
    
        }
    
    167
    
    167
    
     
    
    168
    
        public function test\_check\_admin\_referer\_with\_default\_action\_as\_string\_not\_doing\_it\_wrong() {
    
     
    
    169
    
            $this->setExpectedIncorrectUsage( 'check\_admin\_referer' );
    
     
    
    170
    
            // A valid nonce needs to be set so the check doesn't die()
    
     
    
    171
    
            $\_REQUEST\['\_wpnonce'\] = wp\_create\_nonce( '-1' );
    
     
    
    172
    
            $result               = check\_admin\_referer( '-1' );
    
     
    
    173
    
            $this->assertSame( 1, $result );
    
     
    
    174
    
     
    
    175
    
            unset( $\_REQUEST\['\_wpnonce'\] );
    
     
    
    176
    
        }
    
     
    
    177
    
    168
    
    178
    
        /\*\*
    
    169
    
    179
    
         \* @ticket 36361
    

**Note:** See TracChangeset for help on using the changeset viewer.

Tag

#php