We are aware of a security issue with Bash, which is distributed as the default shell for the operating systems like Linux, which PBXware is based on.
PBXware, SERVERware and TELCOware are affected by this bug, but only in the Setup Wizard, and only if malicious users already have your servers ‘root’ credentials.
If users are not authenticated as root in Setup Wizard, the system is not vulnerable (as no shell is executed at that point).
However small this potential vulnerability is in our case, we did not want to take any chances so we already created the patch.
To patch your PBXware Setup Wizard:
mv mini_httpd /root/mini_httpd.bak
chmod +x mini_httpd
To patch your PBXware 38x:
mv bash /root/old.bash
chmod +x bash
For older version we include the proper links at the end.
To patch your SERVERware 1.7.3.r15 or Newer:
To apply Setup Wizard security patch to your SERVERware 1.8 or 1.7 r15 and later,
login to your SERVERware Controller GUI and navigate to System ->
Updates and use your root username and password to authenticate.
When updates screen is displayed, select checboxes U and R next to Setup Wizard only, and press Start button.
After update is complete you can close your browser window.
To patch your SERVERware Controller (Only) 1.7.2x or Earlier Manually
## Earlier PBXware Version Available
Download link for mini_httpd:
Download link for bash in chroot environment: