CVE-2020-21057 – This CVE describes a directory traversal vulner... (How to Fix)

Q: What is the severity of CVE-2020-21057?

CVE-2020-21057 has a CVSS score of 8.1 (HIGH). This CVE describes a directory traversal vulnerability in FusionPBX 4.5.7 that allows authenticated remote attackers to delete arbitrary folders on the system. The vulnerability exists in the folderdelete.php script where improper input validation of the 'folder' parameter enables path traversal attacks. This affects all FusionPBX installations running version 4.5.7.

📋 TL;DR

This CVE describes a directory traversal vulnerability in FusionPBX 4.5.7 that allows authenticated remote attackers to delete arbitrary folders on the system. The vulnerability exists in the folderdelete.php script where improper input validation of the 'folder' parameter enables path traversal attacks. This affects all FusionPBX installations running version 4.5.7.

💻 Affected Systems

Products:

FusionPBX

Versions: 4.5.7 specifically

Operating Systems: Linux, Windows, BSD (any OS running FusionPBX)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the web interface. All default installations of FusionPBX 4.5.7 are vulnerable.

📦 What is this software?

Fusionpbx by Fusionpbx

View all CVEs affecting Fusionpbx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system folders, leading to service disruption, data loss, and potential privilege escalation.

🟠

Likely Case

Unauthorized deletion of application folders, configuration files, or user data causing service disruption and data loss.

🟢

If Mitigated

Limited impact with proper file permissions and directory restrictions in place.

🌐 Internet-Facing: HIGH - Web-accessible interface with authenticated access required.

🏢 Internal Only: HIGH - Internal attackers with valid credentials can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access. Public proof-of-concept demonstrates folder deletion via crafted folder parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 026c3958c3c7ca6b2ff067addc991aac8f41cf11 and later versions

Vendor Advisory: https://github.com/fusionpbx/fusionpbx/commit/026c3958c3c7ca6b2ff067addc991aac8f41cf11

Restart Required: No

Instructions:

1. Update to latest FusionPBX version. 2. Apply commit 026c3958c3c7ca6b2ff067addc991aac8f41cf11. 3. Replace app/edit/folderdelete.php with patched version.

🔧 Temporary Workarounds

Disable folderdelete.php

linux

Temporarily disable the vulnerable script to prevent exploitation

mv /var/www/fusionpbx/app/edit/folderdelete.php /var/www/fusionpbx/app/edit/folderdelete.php.disabled

Implement input validation

all

Add path traversal validation to folder parameter

Add validation: if (strpos($folder, '..') !== false) { die('Invalid folder path'); }

🧯 If You Can't Patch

Implement strict file permissions to limit damage from folder deletion
Deploy web application firewall (WAF) with path traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running FusionPBX 4.5.7 and examine app/edit/folderdelete.php for lack of path traversal validation

Check Version:

grep 'software_version' /etc/fusionpbx/config.php

Verify Fix Applied:

Verify commit 026c3958c3c7ca6b2ff067addc991aac8f41cf11 is applied and test folder deletion with traversal attempts

📡 Detection & Monitoring

Log Indicators:

Multiple failed folder deletion attempts
Unusual folder paths in delete requests
Access to folderdelete.php with traversal patterns

Network Indicators:

POST requests to /app/edit/folderdelete.php containing '..' patterns
Unusual sequence of folder operations

SIEM Query:

source="web_access.log" AND uri="/app/edit/folderdelete.php" AND (request CONTAINS ".." OR request CONTAINS "%2e%2e")

📊 Metadata

CVE ID: CVE-2020-21057

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: May 20, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/fusionpbx/fusionpbx/commit/026c3958c3c7ca6b2ff067addc991aac8f41cf11 Patch,Third Party Advisory
https://resp3ctblog.wordpress.com/2019/10/28/fusionpbx-path-traversal-4/ Patch,Third Party Advisory
https://github.com/fusionpbx/fusionpbx/commit/026c3958c3c7ca6b2ff067addc991aac8f41cf11 Patch,Third Party Advisory
https://resp3ctblog.wordpress.com/2019/10/28/fusionpbx-path-traversal-4/ Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-21057, you might also want to check these: