dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security Fixes (#4268) 

* Updated fixes for CVE-2019-11409

* Fix for XSS - (CVE-2018-19094)

* Fix for fax cmd injection (CVE-2018-19096)
This commit is contained in:
blackwolfresearch 2019-06-06 20:46:01 -04:00 committed by FusionPBX
parent 13270cca6d
commit ece98a9c01
2 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/calls_active/calls_active_inc.php
View File

@ -202,8 +202,8 @@
echo "<td valign='top' class='".$row_style[$c]."'>".$domain_name."&nbsp;</td>\n"; echo "<td valign='top' class='".$row_style[$c]."'>".$domain_name."&nbsp;</td>\n";
} }
echo "<td valign='top' class='".$row_style[$c]."'>".$tmp_number."&nbsp;</td>\n"; echo "<td valign='top' class='".$row_style[$c]."'>".$tmp_number."&nbsp;</td>\n";
echo "<td valign='top' class='".$row_style[$c]."'>".$cid_name."&nbsp;</td>\n"; echo "<td valign='top' class='".$row_style[$c]."'>".escape($cid_name)."&nbsp;</td>\n";
echo "<td valign='top' class='".$row_style[$c]."'>".$cid_num."&nbsp;</td>\n"; echo "<td valign='top' class='".$row_style[$c]."'>".escape($cid_num)."&nbsp;</td>\n";
echo "<td valign='top' class='".$row_style[$c]."'>".$dest."&nbsp;</td>\n"; echo "<td valign='top' class='".$row_style[$c]."'>".$dest."&nbsp;</td>\n";
echo "<td valign='top' class='".$row_style[$c]."'>".((strlen($application) > 0) ? $application.":".$application_data : null)."&nbsp;</td>\n"; echo "<td valign='top' class='".$row_style[$c]."'>".((strlen($application) > 0) ? $application.":".$application_data : null)."&nbsp;</td>\n";
echo "<td valign='top' class='".$row_style[$c]."'>".$read_codec.":".$read_rate." / ".$write_codec.":".$write_rate."&nbsp;</td>\n"; echo "<td valign='top' class='".$row_style[$c]."'>".$read_codec.":".$read_rate." / ".$write_codec.":".$write_rate."&nbsp;</td>\n";

9
resources/install/scripts/app/fax/resources/scripts/hangup_rx.lua
View File

@ -57,6 +57,13 @@
return s return s
end end
-- escape shell arguments to prevent command injection
local function shell_esc(x)
return ("'"..x:gsub('\\', '\\\\')
:gsub('\'', '\\\'').."'")
end
-- set channel variables to lua variables -- set channel variables to lua variables
domain_uuid = env:getHeader("domain_uuid"); domain_uuid = env:getHeader("domain_uuid");
domain_name = env:getHeader("domain_name"); domain_name = env:getHeader("domain_name");
@ -219,6 +226,8 @@
else else
cmd = cmd .. "fax_prefix=false "; cmd = cmd .. "fax_prefix=false ";
end end
cmd=shell_esc(cmd);
freeswitch.consoleLog("notice", "[fax] command: " .. cmd .. "\n"); freeswitch.consoleLog("notice", "[fax] command: " .. cmd .. "\n");
result = api:execute("system", cmd); result = api:execute("system", cmd);