User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

Today, I have published in OKay's RPM repository RPMs for the Nagios FreeSWITCH plugin 0.0.4. This is a very simple Nagios plugin that connects to your FreeSWITCH through the fs_cli application to get useful information.

Release 0.0.4 has the following plugins:

  • check_fs_registered: which it sends a signal if you do not have enough endpoints registered
  • check_fs_registered_cap: which it sends a signal if you have too many endpoints registered
  • check_fs_channels: which it sends signals if too many channels are being used

I want to thanks to T5 Telecom for sponsoring the release 0.0.1 and VoipLy for 0.0.4.

RPM's are available for CentOS 6 and 7. You can find it doing a yum search nagios-plugins-freeswitch

Enjoy!

 

User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

HAProxy is as its name says, a proxy that aims high availability. It can be used not only to proxy the HTTP (Layer 7) but to proxy TCP (Layer 4). Among the many things HAProxy has, it is possible to access its management page to do active monitoring. I will talk about how to set up a simple Nagios monitoring.

User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

FusionPBX, it is a web frontend for the FreeSWITCH (the best VoIP switch in my opinion). By default, FusionPBX hard links a username to its domain. This means user1 in the domain something.inside-out.xyz with password 123 is totally different and isolated to user1 in the domain else.inside-out.xyz with password 123. But this default behavior is not always what we want in our PBX.

FusionPBX allows you to have a unique login. This is not a surprise, almost every web site has moved to this by using email as the login. FusionPBX is not the exception. But it is turned off by default in 4.2. If you turn this on, you will be able to use your unique login (for example the email, as it is supposed that there is only one full address) to get into fusion. This is very handy, you will save money by only purchasing a simple SSL certificate instead of a wildcard one, and you can have somehow an independent server for the FusionPBX page. Just some ideas.

The Bug

DISCLAIMER: I have not personally reproduced this bug, but I have more than one report it has happened. Please note you are only exposed to this bug if you know you have turned on the unique logic.

While working on my day job, I was told that somehow, a user was able to rename a username with its unique login in different tenants. And after doing it, the user was able to log into a domain that was not meant to log in.

Furthermore, if a user knows the unique login of another user and if it updates a user with that username, he was able to log. For example, unique user This email address is being protected from spambots. You need JavaScript enabled to view it. has admin access to its domain dog.inside-out.xyz. Miguel knows the user This email address is being protected from spambots. You need JavaScript enabled to view it. is the admin of the domain bunny.inside-out.xyz. Miguel is aware of this bug. Then, Miguel creates user This email address is being protected from spambots. You need JavaScript enabled to view it. with a known password for him. Miguel edits the username This email address is being protected from spambots. You need JavaScript enabled to view it. and renames it to This email address is being protected from spambots. You need JavaScript enabled to view it. which it already exists (here it is the bug). Miguel tries to log into the system with the new user he just created, and voilá! If he is lucky, he will get access to domain bunny.inside-out.xyz.

The Patch

Today I have sent two pull requests #2484 and #2485 that prevents this. I will put it here anyway (for 4.2).

Edit the file core/users/usersupdate.php, and look around line 115. You will find something like this:

$sql= "select count(*) as num_rows from v_users where domain_uuid = '".$domain_uuid."' and username = '".$username."'";

Replace that line for these:

$sql = "select count(*) as num_rows from v_users where username = '".$username."'";
if ($_SESSION["user"]["unique"]["text"] != "global"){
    $sql .= " and domain_uuid = '".$domain_uuid."'";
}

You are done. Good Luck!