CVE-2009-1803

Name of the Vulnerable Software and Affected Versions: FreePBX versions 2.4.x through 2.5.1 FreePBX version 2.6.x (pre-release)

Description: The issue allows remote attackers to enumerate valid usernames by generating different error messages for a failed login attempt depending on whether the user account exists.

Recommendations: For FreePBX versions 2.4.x through 2.5.1, consider modifying the login error messages to be generic and not indicative of whether the user account exists or not. For FreePBX version 2.6.x (pre-release), consider the same modification as above until a formal release with the fix is available. As a temporary workaround, consider restricting access to the login functionality to minimize the risk of exploitation.