FreePBX Phone Apps Module Authenticated SQL Injection Vulnerability

An authenticated SQL injection vulnerability has been identified in the FreePBX Phone Apps module, specifically within the REST API endpoint. This vulnerability affects versions of the module prior to 16.0.41 in FreePBX 16 and versions prior to 17.0.6 in FreePBX 17. The issue arises in the 'app_extension' parameter, allowing for SQL injection attacks. Exploitation requires authentication with a known password, which could be the extension, voicemail, user manager, DPMA, or EPM phone admin password, depending on local configuration.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, which could lead to unauthorized data access or manipulation within the application's database.

Remediation

Users are advised to update to the latest fixed version of the 'restapps' module. Additional mitigations include protecting Phone Apps from suspicious users, isolating the telephony network from the public internet, removing users and extensions that should not have access, changing passwords to longer randomized strings, and considering a hardware firewall for FreePBX RESTful Phone Apps ports. It is also recommended to check that the FreePBX Responsive Firewall is active and to require tokens for all endpoints, with a note to test this first and be prepared to reboot all phones if tokens are activated.