FreePBX Endpoint Module Authentication Bypass Leading to SQL Injection and Remote Code Execution Vulnerability

A vulnerability in the FreePBX endpoint module, affecting versions 15, 16, and 17, allows unauthenticated access to the FreePBX Administrator interface. This access is gained through insufficiently sanitized user input, enabling arbitrary database manipulation and remote code execution. The vulnerability arises when the endpoint module is installed and the FreePBX Administrator is exposed to the public internet without proper access controls.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the FreePBX Administrator interface, allowing for arbitrary database changes and remote code execution on the affected system.

Reproduction

The vulnerability can be reproduced by installing the affected endpoint module on FreePBX versions 16 or 17, and then exposing the FreePBX Administrator interface to the public internet without adequate IP filtering or access controls. Once these conditions are met, the vulnerability can be exploited to gain unauthorized access and execute arbitrary code.

Remediation

Users should upgrade to FreePBX versions 15.0.66, 16.0.89, or 17.0.3, depending on their current version. After upgrading, it's important to verify that the 'endpoint' module is at the latest patched version. For systems with an active subscription for the endpoint module, the update can be done via the command line or through the FreePBX Administrator Control Panel. Instructions for checking and updating the endpoint module are available on the FreePBX Community Forums.