CVE-2014-7235
Confirmed version enumeration of the FreePBX instance has given me an opportunity to find more potential vulnerabilities that would provide an initial foothold. I came across CVE-2014-7235
CVE-2014-7235 is a vulnerability that affects Elastix 2.2.0, an open-source telephony platform based on Asterisk. The vulnerability is caused by a lack of proper input validation in the “graph.php” script, which allows an attacker to include arbitrary files on the affected system, including sensitive files such as the /etc/amportal.conf file.
The vulnerability can be exploited by sending a specially crafted HTTP request to the vulnerable script, with a parameter that contains the path to the file that the attacker wants to include. The path can include “../” sequences to navigate to parent directories, which allows an attacker to include any file on the filesystem that the web server process has permissions to access.
Exploiting this vulnerability allows an attacker to view the contents of sensitive files, such as the amportal.conf file, which could contain credentials and other sensitive information that could be used to compromise the system. Additionally, an attacker could use this vulnerability to include and execute arbitrary scripts, which could lead to complete compromise of the affected system.
Exploit
This vulnerability is direct linked to configuration file discovery