VoIP, Linux, Security & much more fun
If you need any help regarding these subjects do not hesitate about sending me a text

FusionPBX, it is a web frontend for the FreeSWITCH (the best VoIP switch in my opinion). By default, FusionPBX hard links a username to its domain. This means user1 in the domain something.inside-out.xyz with password 123 is totally different and isolated to user1 in the domain else.inside-out.xyz with password 123. But this default behavior is not always what we want in our PBX.

FusionPBX allows you to have a unique login. This is not a surprise, almost every web site has moved to this by using email as the login. FusionPBX is not the exception. But it is turned off by default in 4.2. If you turn this on, you will be able to use your unique login (for example the email, as it is supposed that there is only one full address) to get into fusion. This is very handy, you will save money by only purchasing a simple SSL certificate instead of a wildcard one, and you can have somehow an independent server for the FusionPBX page. Just some ideas.

The Bug

DISCLAIMER: I have not personally reproduced this bug, but I have more than one report it has happened. Please note you are only exposed to this bug if you know you have turned on the unique logic.

While working on my day job, I was told that somehow, a user was able to rename a username with its unique login in different tenants. And after doing it, the user was able to log into a domain that was not meant to log in.

Furthermore, if a user knows the unique login of another user and if it updates a user with that username, he was able to log. For example, unique user This email address is being protected from spambots. You need JavaScript enabled to view it. has admin access to its domain dog.inside-out.xyz. Miguel knows the user This email address is being protected from spambots. You need JavaScript enabled to view it. is the admin of the domain bunny.inside-out.xyz. Miguel is aware of this bug. Then, Miguel creates user This email address is being protected from spambots. You need JavaScript enabled to view it. with a known password for him. Miguel edits the username This email address is being protected from spambots. You need JavaScript enabled to view it. and renames it to This email address is being protected from spambots. You need JavaScript enabled to view it. which it already exists (here it is the bug). Miguel tries to log into the system with the new user he just created, and voilá! If he is lucky, he will get access to domain bunny.inside-out.xyz.

The Patch

Today I have sent two pull requests #2484 and #2485 that prevents this. I will put it here anyway (for 4.2).

Edit the file core/users/usersupdate.php, and look around line 115. You will find something like this:

$sql= "select count(*) as num_rows from v_users where domain_uuid = '".$domain_uuid."' and username = '".$username."'";

Replace that line for these:

$sql = "select count(*) as num_rows from v_users where username = '".$username."'";
if ($_SESSION["user"]["unique"]["text"] != "global"){
    $sql .= " and domain_uuid = '".$domain_uuid."'";
}

You are done. Good Luck!

blog comments powered by Disqus
If you need more help than the free one provided here...