Security Vulnerability in 2.6.1

Please shed some light on specifics of this vulnerability, so each of us can consider if this update is necessary in our setup.

Basically it deals with un-sanitized data, if you have port 80 blocked and trust your internal users you should be okay.

Just need a little help understanding why I see two versions in the packages section.
One at line # 438 trixbox Update tbm-GUIcore tbm-GUIcore - The base of the Trixbox GUI Modules 2.6.1.1-17
and the other at: Line # 576 trixbox Update tbm-GUIcore tbm-GUIcore - The base of the Trixbox GUI Modules 2.6.1.1-23
Do I need to update both?
Thanks for the reply in advance.

Hi,

I've been reading lots about this security vulnerbility. I don't fully understand the technicalities of php files and how the web pages are built & modified.

I've had a couple TB servers (2.4.2 & 2.6.1) setup as test/honeypots. I noticed the first signs a couple of weeks ago when the TB & FreePBX GUI's stopped working. Asterisk Call controlled remain OK, the server still routed calls fine. I saw this as minor annoyance. Eventually, I'd have to rebuild the servers.

However, today I received a phone call from my ISP Security team saying that my IP address had been identified as Phishing Website and they were going to block my Internet connection.

I looked on my TB server and found an ebay folder (/var/www/html/ebay). I browsed through the path low & behold I found a realistic ebay login screen on my trixbox server.

I think fonality should e-mail all users about this vulnerabilty/exploit. I don't think I've actually received an e-mail from Fonality about it (I receive plenty of emails about trixbox pro training/reselling sessions, etc)

Fonality must have an e-mail database derived from the trixbox install/registration pop-up.

Also, there is no clear statement as to which versions are affected (trixbox 2.2 ? 2.0 ?)

Regards,