The recent vulnerability in the Asterisk and Freepbx ARI login.php file is not addressed in an update to ARI in the unembedded freepbx on Elastix 2.4.
This will mean that your systems will still be vulnerable.
We have produced a patch that you can apply to address this. The patch can be downloaded from https://s3.amazonaws.com/filesandpatches/ari.patch and applied as detailed below.
logon to the server console
cd /var/www/html/recordings/includes cp login.php /root/login.php.ari wget https://s3.amazonaws.com/filesandpatches/ari.patch patch < ari.patch Then to check either login to server ARI interface or cat login.php |grep json and you should get the following output $buf = json_decode($_COOKIE['ari_auth'],true); $data = json_decode($crypt->decrypt($data,$ARI_CRYPT_PASSWORD),true); $data = $crypt->encrypt(json_encode($data),$ARI_CRYPT_PASSWORD); $buf = json_encode(array($data,$chksum)); also check to see if you have the file in the fw_ari directory. ls -l /var/www/html/admin/modules/fw_ari/htdocs_ari/includes if there is a login.php there then copy over the patched version. cp /var/www/html/recordings/includes/login.php /var/www/html/admin/modules/fw_ari/htdocs_ari/includes/login.php After these actions check that the file ownership is still correct if not chown asterisk:asterisk /var/www/html/recordings/includes/login.php
This patch also applies to any older version of ARI out there.
also to be on the lookout for two suspicious files, named “c.sh” or “c2.pl” respectively. If you see these two files remove them immediately!