I have been trying to figure out why any competant engineer would architect a system this way. Then I thought, maybe they just are doing what an existing system already does.
From looking at the registry.pl file, the URI contacted for the script differs based on the server ID and a fonality specific config file. It looks like there are three choices for the download URI, one is registry.trixbox.com (if the fonality config file is not present), but the others are proregistry.trixbox.com, or update.fonality.com, which look like the other fonality PBX products that are in the field today (Trixbox PRO and Fonality's proprietary system).
This sure looks to me like this same process and terrible security architecture is used bt trixbox pro and fonality pbx's as well as trixbox CE. Yet, noone at Fonality has admitted this, much less issued a security advisory. I have posted a question to the fonality folks in the trixbox phones home thread, but no reply.
Does the fonality user base realize how vulnerable they are? How many users put their PBX on a special firewalled network from their corporate systems?
This looks like is it a far bigger problem than just trixbox. And why is Fonality not talking about the other platforms?
Slashdot Mirror
I have been trying to figure out why any competant engineer would architect a system this way. Then I thought, maybe they just are doing what an existing system already does. From looking at the registry.pl file, the URI contacted for the script differs based on the server ID and a fonality specific config file. It looks like there are three choices for the download URI, one is registry.trixbox.com (if the fonality config file is not present), but the others are proregistry.trixbox.com, or update.fonality.com, which look like the other fonality PBX products that are in the field today (Trixbox PRO and Fonality's proprietary system). This sure looks to me like this same process and terrible security architecture is used bt trixbox pro and fonality pbx's as well as trixbox CE. Yet, noone at Fonality has admitted this, much less issued a security advisory. I have posted a question to the fonality folks in the trixbox phones home thread, but no reply. Does the fonality user base realize how vulnerable they are? How many users put their PBX on a special firewalled network from their corporate systems? This looks like is it a far bigger problem than just trixbox. And why is Fonality not talking about the other platforms?