Synopsis: 3CX 6.0.806.0 is vulnerable to session hijacking, XSS, information disclosure and DoS. Background: "3CX Phone System for Windows is a software-based IP PBX that replaces traditional proprietary hardware PBX / PABX. 3CX’s IP PBX has been developed specifically for Microsoft Windows and is based on the SIP standard – making it easier to manage and allowing you to use any SIP phone (software or hardware)." Issue 1: By default 3CX does not run HTTPS allowing an attacker to sniff the administrators session ID and masquerade as the administrator and perform tasks on their behalf. Issue 2: XSS is possible in the fName and fPassword fields on the main login page for the console (login.php) Issue 3: If the drive in which 3CX is installed reaches 100% capacity the login.php page reveals the installation path to any user. Issue 4: Performing vulnerability scans (Nessus/SAINT) against a 3CX server causes the server to become unstable, crash and is non recoverable and must be reinstalled to use again. Time line: Discovered: August 5th 2008 Vendor notified: August 24th 2008 Vendor response: September 3rd, 2008 Vendor fix: November 2008 Chris Castaldo "An ounce of prevention is worth a pound of cure." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/