Security Vulnerability in Asternic Call Center Stats PRO
We received information about a compromised system that had Asternic Call Center Stats PRO. Upon investigation we confirmed that it was possible to upload arbitrary files via the admin-language.php file, but only for authenticated users.
We then noticed that old RPM versions of the software in Issabel repositories were installed with insecure/default credentials. This does not happen if installing according to the installation guide using the command line install scripts instead of yum/rpm, as the command line installation prompts for the administrator password at install time. So we decided to pull those old .rpm versions from Issabel repositories.
Even if its only exploitable by authenticated users, it is still a serious security vulnerability. We already patched the software and urge you to upgrade to the latest version (2.3.11) available since today.
One way to find out if your server could have been compromised is to look for .php files in the /var/www/html/stats/uploads directory:
find /var/www/html/stats/uploads -name \*.php
If this command returns any files, those are most probably malicious and your system is compromised.
If you cannot upgrade, a quick fix is to edit the file /var/www/html/stats/admin-language.php, search for 'allow_import' and change it to false, like this:
$grid->allow_import(false);
Comments
Sadly, you cannot edit /var/www/html/stats/admin-language.php because it is encoded with IonCube, so your only option is to upgrade.
You are right, the fix apply to the Asternic Call Center Stats DEVEL version. Setting a strong password for the admin user or perhaps also renaming the admin user to something else will prevent the automated script kiddie attack.