SECURITY ADVISORY: web services (Aug. 11, 2011)

Aug. 11, 2011

The FreePBX development team has identified with some zero day security vulnerabilities related to httpd and php. These vulnerabilities may allow a remote user to gain full root control over a system, and are present in lots of popular asterisk-related distro’s.

The FreePBX development team strongly urges all user of the FreePBX Distro to immediately upgrade their systems and patch these vulnerabilities. Additionally, users are reminded never to keep their web port accessible to the internet.

To secure your system, please download the latest scripts found [url=http://www.freepbx.org/forum/freepbx-distro/distro-discussion-help/release-versions]here[/url]. Please remember that the upgrade scripts must be executed sequentially.

A big round of applause to my colleagues at [url=http://www.schmoozecom.com]Schmooze Com., Inc.[/url] for their tireless dedication to the community, for the sleepless nights they spent working on this (and many other!) issue, and for their swift response in releasing a patch to protect the users of the distro.

UPDATE: it seems this post has left a host of questions in its wake – please read the following replies to see if your questions have been answered yet, or reply with them if they havent been!