Multiple vulnerabilities in 3CX 6.0.806.0

[Chris Castaldo <chris.castaldo () gmail com>]

Synopsis: 3CX 6.0.806.0 is vulnerable to session hijacking, XSS,
information disclosure and DoS.

Background: "3CX Phone System for Windows is a software-based IP PBX
that replaces traditional proprietary hardware PBX / PABX. 3CX’s IP PBX
has been developed specifically for Microsoft Windows and is based on
the SIP standard – making it easier to manage and allowing you to use
any SIP phone (software or hardware)."

Issue 1: By default 3CX does not run HTTPS allowing an attacker to sniff
the administrators session ID and masquerade as the administrator and
perform tasks on their behalf.

Issue 2: XSS is possible in the fName and fPassword fields on the main
login page for the console (login.php)

Issue 3:  If the drive in which 3CX is installed reaches 100% capacity
the login.php page reveals the installation path to any user.

Issue 4: Performing vulnerability scans (Nessus/SAINT) against a 3CX
server causes the server to become unstable, crash and is non
recoverable and must be reinstalled to use again.

Time line:
Discovered: August 5th 2008
Vendor notified: August 24th 2008
Vendor response: September 3rd, 2008
Vendor fix: November 2008

Chris Castaldo

"An ounce of prevention is worth a pound of cure."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/