Why would you have the web interface connected to the Internet without any security?

Over and over we tell people it is not reasonable to expect the administrative interface of a phone system to be secure.

If you still insist on doing this why would you not at least do an htaccess on the web folders?

Don't start blaming others and fear mongering in the forums because you did not take basic steps to secure your system.

Please ensure that you have upgraded your modules, as this issue was already resolved.

It was fixed in 2.9 over a month ago. Make sure you have the most updated core and framework modules.

This is actually super lame. I am tired of listening to comments which say "you should not put this stuff on the internets".
Where in the installation process the eager beaver aka the VoIP expert is warned about the dangers of doing so ?

1. Why FPBX does not, by default, restrict access to the GUI to only RFC1918 networks ? People who want to enable access from the internets should accept a warning which says 'this software can be exploited by a 5 year old' , do you still need to enable access ???

2. The release process should include testing unauthenticated access to all files containing sensitive info. If there was any testing of this kind this costly(for many) exploit would have been prevented.

That file should never have been left their and it was a mistake in 2.9 for over a year before it was reported. One of the good things about being opensource is it allows the community as a whole to also help review code and make sure we have not screwed up on something. All the code is their for everyone to see and review and make changes or recommendations.

I just tested this on the 1.87.29.55 and 1.88.210.57 releases which are the 2 releases in the last 6 months and neither allow you to go to http://xxx/admin/modules/framework/bin/gen_amp_conf.php and get any info. So not sure why you are stating differently.

What other thread are you talking about. This talking in disguise does no good. No where in here do you refer to another thread. You put a link to a Digium forum post that is a year old with no real input from others. You also have a link to a feature request about not passing clear passwords but nothing else here. As we always state your Web GUI of FreePBX should not be exposed to the whole world. This drama is driving me to drink and is getting old.

Here you go:

You need to specify the string you are looking for as an argument ( usually your password ;-)
It takes about 30 secs to finish on my install under Virtual Box

My two cents,

first of all, SkykingOH, thanks for your patience in helping to get some useful information out of the post here. Also, thank you for your humbleness as you are WAY more important to this project and your contributions then you elude to!

As far as this issue, I would simply ask readers (and the reporter) who have gone this far in the future to approach this sort of issue with a bit more of a level head and remove the drama, accusations, confrontations, etc. It does no one any good and simply gets a lot of less knowledgable people who may be reading these blogs concerned without understanding the implications.

As Tony mentioned, this was published less than 3 days ago, it was reported yesterday and it was fixed and published this morning. It was a security issue though as Tony points out, an issue that was limited to the ARI admin credentials which gives access a wider range of call recordings and similar. That clearly makes it a security concern which are all taken seriously. That, or anything else, doesn't really call for the "panic' that seems to be running through some of the emotions here.

Thanks everyone who found this, reported it and helped track it down to get resolution!