| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 Mar 2011 23:07:33 +0000 From: "Tim Osman" <timosman@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Trixbox CE - undocumented web admin Affected products: ------------------------- Trixbox CE 2.8.0.4 and below Trixbox CE 2.6.2.3 and below ---------- Details: ---------- Trixbox CE, an Asterisk and FreePBX based system ships with undocumented web admin. The admin web interface can be accessed by user wwwadmin which grants full access to PBX configuration including all trunks/extensions credentials and config changes. ---------- Solution: ---------- Remove wwwadmin from /usr/local/apache/passwd/wwwpasswd and/or /etc/trixbox/httpdconf/trixbox.conf ------------ Timeline: ------------ 08/20/2010 Notification posted on trixbox.org 11/29/2010 Vendor acknowledged and scheduled fix for the next release. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists