VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 21, 2019· Updated Aug 5, 2024

CVE-2019-16985

CVE-2019-16985

Description

In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FusionPBX up to v4.5.7 allows authenticated arbitrary file deletion via a path traversal in the `rec` parameter of `xml_cdr_delete.php`.

Vulnerability

The vulnerability exists in FusionPBX versions up to and including 4.5.7. The file app/xml_cdr/xml_cdr_delete.php takes a rec parameter from the URL, base64 decodes it, and uses it directly in a file_exists() and unlink() call without sanitization [1][2]. This allows an attacker to specify an arbitrary file path on the system.

Exploitation

An authenticated user can craft a URL to xml_cdr_delete.php with a base64-encoded path in the rec parameter. The application decodes the path and attempts to delete the file if it exists. No additional authentication or privileges beyond a valid session are required [2].

Impact

Successful exploitation allows an authenticated attacker to delete any file on the server that the web server process has write access to. This can lead to denial of service, data loss, or potential privilege escalation if critical system files are removed.

Mitigation

The fix was committed on the same day the issue was reported (13 August 2019) in commit 284b0a91968f126fd6be0a486a84e065926905ca [1]. The fix replaces the unsanitized rec parameter with a validated path from the database, ensuring only legitimate call recording files can be deleted. Users should upgrade to a version containing this fix or apply the patch manually. No workaround is documented.

References
  1. Update xml_cdr_delete.php · fusionpbx/fusionpbx@284b0a9
  2. FusionPBX Path traversal 1

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
284b0a91968f

Update xml_cdr_delete.php

https://github.com/fusionpbx/fusionpbxFusionPBXAug 13, 2019via osv
commit
1 file changed · +33 19
  • app/xml_cdr/xml_cdr_delete.php+33 19 modified
    @@ -17,7 +17,7 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <markjcrane@fusionpbx.com>
-	Copyright (C) 2008-2012
+	Copyright (C) 2008-2019
 	All Rights Reserved.
 
 	Contributor(s):
@@ -45,33 +45,47 @@
 //get posted values, if any
 	if (sizeof($_REQUEST) > 0) {
 		$xml_cdr_uuids = $_REQUEST["id"];
-		$recording_file_path = $_REQUEST["rec"];
-
 		if (sizeof($xml_cdr_uuids) > 0) {
 			foreach ($xml_cdr_uuids as $index => $xml_cdr_uuid) {
-				// delete record from v_xml_cdr
-				$sql = "delete from v_xml_cdr ";
-				$sql .= "where xml_cdr_uuid = '".$xml_cdr_uuid."' ";
-				$prep_statement = $db->prepare(check_sql($sql));
-				$prep_statement->execute();
-				unset($sql, $prep_statement);
-				//delete recording from fs and v_call_recordings respectively, if any
-				if ($recording_file_path[$index] != '' ) {
-					$sql = "delete from v_call_recordings ";
-					$sql .= "where call_recording_uuid = '".$xml_cdr_uuid."' ";
-					$prep_statement = $db->prepare(check_sql($sql));
-					$prep_statement->execute();
-					unset($sql, $prep_statement);
-					if (file_exists(base64_decode($recording_file_path[$index]))) {
-						@unlink(base64_decode($recording_file_path[$index]));
+				if (is_uuid($xml_cdr_uuid)) {
+					// delete record from v_xml_cdr
+					$sql = "delete from v_xml_cdr ";
+					$sql .= "where xml_cdr_uuid = :xml_cdr_uuid ";
+					$parameters['xml_cdr_uuid'] = $xml_cdr_uuid;
+					$database = new database;
+					$database->execute($sql, $parameters);
+					unset($sql, $parameters);
+
+					//get the call recordings
+					$sql = "select * from v_call_recordings ";
+					$sql .= "where call_recording_uuid = :xml_cdr_uuid ";
+					$parameters['xml_cdr_uuid'] = $xml_cdr_uuid;
+					$database = new database;
+					$row = $database->select($sql, $parameters, 'row');
+					unset($sql, $parameters);
+
+					//delete the call recording
+					$call_recording_path = realpath($row['call_recording_path']);
+					$call_recording_name = $row['call_recording_name'];
+					if (file_exists($call_recording_path.'/'.$call_recording_name)) {
+						@unlink($call_recording_path.'/'.$call_recording_name);
 					}
+
+					//delete the call recording meta data
+					$sql = "delete from v_call_recordings ";
+					$sql .= "where call_recording_uuid = :xml_cdr_uuid ";
+					$parameters['xml_cdr_uuid'] = $xml_cdr_uuid;
+					$database = new database;
+					$database->execute($sql, $parameters);
+					unset($sql, $parameters);
+
 				}
 			}
 		}
 	}
 
 //set message and redirect the user
 	$_SESSION["message"] = $text['message-delete'].": ".sizeof($xml_cdr_uuids);
-	header("Location: xml_cdr.php".(($_SESSION['xml_cdr']['last_query'] != '') ? "?".$_SESSION['xml_cdr']['last_query'] : null));
+	header("Location: xml_cdr.php");
 
 ?>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.