[VOIPSEC] Message from a parallel universe - Trixbox et al.

[Paul Leger]

Greetings,

I need some help from folks on this list in a situation I am
dealing with.

I have been participating for the past few months in forums over at
trixbox.org which is a forum for Trixbox - an  Asterisk and FreePBX 
based distro.
What keeps amazing me is the attitude of these people towards
security - these folks just do not care.
I tried bringing to their attention numerous security issues and
almost never received as much as an acknowledgement.
Trixbox is a distro which should never be connected to the internet,
yet numerous people install it and put on machines with direct
( or via port forwarding) internet access and get hacked almost
instantly.
To make things worse one of the authors of Trixbox/PBX related 
booksis quite active on the forums and openly dismissive about 
security issues as well.
His books include gems like advising people to port forward port
5060-5061  to the PBX in order to enable SIP to work.
Nowhere in his Trixbox book is any mention of the default web user -
wwwadmin. This user has access to the entire FreePBX management
system and its password can not be changed via any of the provided 
tools, which means it is beyond the capabilities of an average 
trixbox user who also expects trixbox to be a complete solution.

To see some of the recent musings check :

http://trixbox.org/forums/trixbox-forums/open-discussion/security-
how-get-your-trixbox-hacked-no-time
http://trixbox.org/forums/trixbox-forums/open-discussion/memcached-
insecurity-mentioned-slashdot-872010

In case the URLs get folded:

http://tinyurl.com/22lpkaj
http://tinyurl.com/2fupos7

thanks,


Paul