A very serious security vulnerability has been discovered by Kevin Lynn at GWU. It was demonstrated during the Atlanta Asterisk Users Conference this past weekend. It affects ALL FreePBX-based systems and could compromise not only your server but also your credentials on your server. All that is required to trigger the Trojan attack is displaying the CDR Report module within a browser.
This means that ALL trixbox versions are affected. We at FreePBX take this very seriously and released a fix as soon as the vulnerability was discovered.
However, since newer trixbox use a "forked" version of FreePBX there is no fix released by Fonality or andrew. Users using the old versions of trixbox should just check for updates and install the new Framework to be safe.
I urge Fonality and andrew to take action immediately and "fork" the new released FreePBX Framework so that you, trixbox customers, can continue to use trixbox and still be safe from attacks.
This just proves that "forking" FreePBX was a bad decision by Fonality.
Mikael Carlsson
FreePBX Development Team
Member Since:
2006-10-19