Security Warning – FreePBX Distro and phpmyadmin

If you’re running FreePBX Distro then I recommend you do not install the version of phpmyadmin included, especially if the system is accessible over the Internet.

This current version of phpmyadmin included (as of 15/8/11) is 2.11.9.6 –

Name       : phpmyadmin
Arch       : noarch
Version    : 2.11.9.6
Release    : 1.el5.rf
Size       : 4.2 M
Repo       : pbx

and this is vulnerable to at least the following exploits –

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3055

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0987

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0986

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3056

It looks like the version of phpmyadmin included with the FreePBX Distro was pulled from rpmforge a while back, but is now out of date. If you want/need to install phpmyadmin I suggest getting it from there (or install from source, but make sure you keep it up to date!) –

Name       : phpmyadmin
Arch       : noarch
Version    : 2.11.11.3
Release    : 2.el5.rf
Size       : 4.2 M
Repo       : rpmforge

The default advice remains the same though – take every effort to restrict who can get access to the web interface of any servers.

This information only affects FreePBX Distro (not FreePBX itself) and no SysAdminMan VPS customers are affected.