Security Holes & Backdoors In FreePBX

I found a chilling article by chance the consequence was extremely bad!

It seems security was not high on the agenda when FreePBX was initially developed and the developers had built some default and backdoors into a system for easy access. Whilst I think this is a terrible idea, it doesn’t seem like the project has ever cleansed it of all of these developer friendly holes (turned security issues). The article on Nerd Vittles gives a full account of the issue and the username:passwords that were used during the development. They are as follows:

admin:admin
admin:password
admin:passworm
maint:admin
maint:maint
maint:password
maint:passworm
wwwadmin:password
wwwadmin:wwwadmin
wwwadmin:admin
asteriskuser:eLaStIx.asteriskuser.2oo7

The above format is username:password and to test them just go to the administration page of FreePBX http://[server]/admin e.g http://www.dannytsang.co.uk/admin

I do not 100% agree with the starting from scratch with a fresh install because some people may have taken extra precautions (such as myself) so fixing the issue won’t be as bad as stated. There’s also a security primer on the same site which will help with securing FreePBX. The problem is the article doesn’t specifically state how to fix it except to change the default passwords? How? Also the post could go through or link how to backup the existing install so that it’s not 100% lose. I’m not complaining but more like constructive criticism because I’m in that boat.

Some of the techniques to secure web servers and Ubuntu (if FreePBX is running on Ubuntu) will apply to FreePBX and I may post more articles to help secure FreePBX.

News: FreePBX/Asterisk Security Flaw

FreePBX Backdoor Passwords Pose Asterisk Security Threat

Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security

Apache 2 Hardening Tips

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in Linux, Networking, PBX, Security. Bookmark the permalink.

Leave a Reply