FreePBX Webserver Authentication Bypass Vulnerability in Endpoint Manager

A vulnerability allowing authentication bypass has been identified in the FreePBX Endpoint Manager module, specifically in versions prior to 16.0.44 and 17.0.23. When the authentication type is set to 'webserver', an Authorization header with an arbitrary value can be used to associate a session with the target user, bypassing the need for valid credentials. This issue arises from the webserver authentication method, which assumes secure server configuration but can be exploited to gain unauthorized access to the administrator control panel.

Impact

Exploitation of this vulnerability allows for unauthorized logins to the administrator control panel, potentially leading to unauthorized changes in the system or module configurations.

Reproduction

To reproduce this vulnerability, set the authentication type to 'webserver' in the FreePBX advanced settings. Then, send a request with an Authorization header containing a fake value. This will create a session for the user associated with the provided header, bypassing the need for valid login credentials.

Remediation

Users can update to FreePBX versions 16.0.44 or 17.0.23, where this vulnerability has been patched. After updating, it's recommended to check the authentication type setting and ensure it's not set to 'webserver'.