Some vulnerabilities and a weakness have been discovered in freePBX, which can be exploited by malicious people to disclose certain system information, and to conduct cross-site scripting and cross-site request forgery attacks.

1) Input passed e.g. to "display" parameter in reports.php, to the "order" and "extdisplay" parameters in config.php, to the "sort" parameter in recordings/index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) The application allows users to perform certain actions via HTTP requests without performing any validity check to verify the requests. This can be exploited to perform certain administrative actions (e.g. create a new administrative user) when a logged-in admin visits a malicious web site.

3) A weakness is caused due to the application returning different error messages depending on whether an unsuccessful login attempt is performed with a valid or invalid user name.This can be exploited to enumerate valid user names.

The vulnerabilities and the weakness are confirmed in version 2.5.1. Other versions may also be affected.

Solution
Install the updated modules.
Further details available to Secunia VIM customers

Provided and/or discovered by
1) Mike Bailey and Dejan Levaja
2) Mike Bailey
3) Dejan Levaja

Changelog
Further details available to Secunia VIM customers

Original Advisory
freePBX:
http://freepbx.org/trac/ticket/3660

Deep Links
Links available to Secunia VIM customers