Directory Traversal Vulnerability in FreePBX Configuration Interface
CVE-2010-3490

Currently unrated

Key Information:

Vendor

Sangoma

Status
Freepbx
Vendor
CVE Published:
28 September 2010

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2010-3490?

A directory traversal vulnerability exists in the System Recordings component of the FreePBX configuration interface. Specifically, in versions 2.8.0 and earlier, remote authenticated administrators can exploit this vulnerability to create arbitrary files on the server by manipulating the usersnum parameter in admin/config.php. By using a '..' (dot dot) sequence, an attacker may create harmful files, such as a .php script, within the web root directory, thereby potentially enabling remote code execution and further compromising the system.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2010-3490 - Proof of Concept

CVE-2010-3490
Created by moayadalmalat

References

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-...
x_refsource_MISC
http://www.securityfocus.com/archive/1/513947/100/0/threaded
mailing-listx_refsource_BUGTRAQ
http://www.securityfocus.com/bid/43454
vdb-entryx_refsource_BID

EPSS Score

8% chance of being exploited in the next 30 days.

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.