Page tree
Skip to end of metadata
Go to start of metadata

FreePBX itself has several security limitations in place but one you should take special note of is if any of the files inside your module are called:

  • index.php
  • ajax.php
  • config.php

These files are allowed to be executed anywhere without having to be logged into FreePBX.

These files primarily exist in the FreePBX root directory. The htaccess controlling these files is pretty broad and matches simply by name as most modules do not have the files listed above. In the root folder of FreePBX index.php redirects to config.php and ajax.php is an ajax handler for FreePBX.

However, because these files are allowed to be executed through .htacces file restrictions, this means the three files above can be accessed anywhere within FreePBX (did we mention you probably should not be using them?) this means that your module must either:

  • Not contain any of the files listed above so as they don't get executed
  • Or if you need one of the files above you should think about placing the code snippet below in the first few lines of your module so that no malicious external attacks can take place against your module

    if (!defined('FREEPBX_IS_AUTH')) { die('No direct script access allowed'); }