FreePBX Dashboard Module Authenticated Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the FreePBX Dashboard module, affecting versions prior to 16.0.22 and 17.0.5. The issue arises in the 'getcontent' AJAX handler, where user-supplied input is used to include PHP files without proper path sanitization. This allows for path traversal attacks to include arbitrary '.class.php' files from the filesystem. The executed PHP code runs before any class instantiation errors occur, potentially leading to unauthorized command execution on the server as the web server user, typically 'asterisk'.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary PHP code on the server, with the commands running as the web server user, usually 'asterisk'.

Remediation

Users are advised to update the Dashboard module to the latest version. Additionally, access to the FreePBX Administrator Control Panel should be restricted to authorized users, and hostile network access should be denied, for example, by using the FreePBX Firewall module.