Security Vulnerability in Asternic Call Center Stats PRO
We received information about a compromised system that had Asternic Call Center Stats PRO. Upon investigation we confirmed that it was possible to upload arbitrary files via the admin-language.php file, but only for authenticated users.
We then noticed that old RPM versions of the software in Issabel repositories were installed with insecure/default credentials. This does not happen if installing according to the installation guide using the command line install scripts instead of yum/rpm, as the command line installation prompts for the administrator password at install time. So we decided to pull those old .rpm versions from Issabel repositories.
Even if its only exploitable by authenticated users, it is still a serious security vulnerability. We already patched the software and urge you to upgrade to the latest version (2.3.11) available since today.
One way to find out if your server could have been compromised is to look for .php files in the /var/www/html/stats/uploads directory:
find /var/www/html/stats/uploads -name \*.php
If this command returns any files, those are most probably malicious and your system is compromised.
If you cannot upgrade, a quick fix is to edit the file /var/www/html/stats/admin-language.php, search for 'allow_import' and change it to false, like this: