FreePBX Recordings Module Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the FreePBX recordings module, affecting versions 16.0.17.2 prior to 16.0.20 and 17.0.2.4 prior to 17.0.5. This vulnerability allows authenticated users to inject arbitrary commands that are executed on the server via the Media handling subsystem. The flaw arises because user-supplied POST parameters, such as 'file' and 'filenames[]', are not properly sanitized before being passed to shell-executed operations. As a result, an attacker could exploit this vulnerability to execute commands on the underlying host, potentially gaining remote access as the 'asterisk' user.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary shell commands on the server, with the possibility of obtaining remote access as the 'asterisk' user.

Remediation

Users are advised to update the recordings module to the latest version. Additionally, access to the FreePBX Administration Control Panel should be restricted to authorized users, and hostile network access should be denied using the FreePBX Firewall module.