CVE-2019-16986
Description
In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX up to v4.5.7 contains a path traversal vulnerability in download.php and secure_download.php allowing authenticated file download.
Vulnerability
In FusionPBX up to v4.5.7, the files resources/download.php and resources/secure_download.php use an unsanitized "f" parameter from the URL, allowing path traversal to download arbitrary files [1][2][3].
Exploitation
An authenticated attacker can craft a URL with a path traversal payload in the "f" parameter to download any file on the system. No additional privileges are required beyond authentication [3].
Impact
An attacker can download sensitive files such as configuration files, credentials, or any other readable file, leading to information disclosure. The CVSS base score is 6.5 (Medium) [3].
Mitigation
The vulnerability was fixed by deleting the vulnerable download.php and secure_download.php files in commits [1] and [2]. The fix was released on August 11, 2019 [3]. Users should update to a version after v4.5.7 or apply the patches.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
21 file changed · +0 −35
resources/download.php+0 −35 removed@@ -1,35 +0,0 @@ -<?php -/* - FusionPBX - Version: MPL 1.1 - - The contents of this file are subject to the Mozilla Public License Version - 1.1 (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - http://www.mozilla.org/MPL/ - - Software distributed under the License is distributed on an "AS IS" basis, - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - for the specific language governing rights and limitations under the - License. - - The Original Code is FusionPBX - - The Initial Developer of the Original Code is - Mark J Crane <markjcrane@fusionpbx.com> - Portions created by the Initial Developer are Copyright (C) 2008-2012 - the Initial Developer. All Rights Reserved. - - Contributor(s): - Mark J Crane <markjcrane@fusionpbx.com> -*/ -include "root.php"; -require_once "resources/require.php"; -//require_once "resources/check_auth.php"; - -$file = $_GET["f"]; -require_once "resources/secure_download.php"; -//echo $file; -DownloadFile($file_dir.$file); - -?> \ No newline at end of file
9482d9ee0e42Delete secure_download.php
1 file changed · +0 −91
resources/secure_download.php+0 −91 removed@@ -1,91 +0,0 @@ -<?php -/* - FusionPBX - Version: MPL 1.1 - - The contents of this file are subject to the Mozilla Public License Version - 1.1 (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - http://www.mozilla.org/MPL/ - - Software distributed under the License is distributed on an "AS IS" basis, - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - for the specific language governing rights and limitations under the - License. - - The Original Code is FusionPBX - - The Initial Developer of the Original Code is - Mark J Crane <markjcrane@fusionpbx.com> - Portions created by the Initial Developer are Copyright (C) 2008-2012 - the Initial Developer. All Rights Reserved. - - Contributor(s): - Mark J Crane <markjcrane@fusionpbx.com> -*/ -include "root.php"; -require_once "resources/require.php"; -require_once "resources/check_auth.php"; - -//clears if file exists cache -clearstatcache(); - - -function getDownloadFilename($strfile) { - // Get download file name and path - //$basedir = "c:\\products\\"; - //$basedir = "/home/wwwbeta/secure/files/"; - $basedir = "c:/www/demo.netprofx.com/secure/files/"; - // Build and return download file name - return $basedir . $strfile; -} - -function DownloadFile($filename) { - // Check filename - if (empty($filename) || !file_exists($filename)) { - echo "Error: file doesn't exist or is empty. <br>\n $filename"; - return FALSE; - } - - $file_extension = strtolower(substr(strrchr($filename,"."),1)); - switch ($file_extension) { - case "pdf": $ctype="application/pdf"; break; - case "exe": $ctype="application/octet-stream"; break; - case "zip": $ctype="application/zip"; break; - case "doc": $ctype="application/msword"; break; - case "xls": $ctype="application/vnd.ms-excel"; break; - case "ppt": $ctype="application/vnd.ms-powerpoint"; break; - case "gif": $ctype="image/gif"; break; - case "png": $ctype="image/png"; break; - case "jpe": case "jpeg": - case "jpg": $ctype="image/jpg"; break; - default: $ctype="application/force-download"; - } - - //if (!file_exists($filename)) { - // die("NO FILE HERE<br>$filename"); - //} - - // Create download file name to be displayed to user - $saveasname = basename($filename); - - header("Expires: 0"); - header("Pragma: public"); - header("Expires: 0"); - header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); - header("Cache-Control: private",false); - header("Content-Type: $ctype"); - header("Content-Disposition: attachment; filename=\"".basename($filename)."\";"); - header("Content-Transfer-Encoding: binary"); - header("Content-Length: ".@filesize($filename)); - - set_time_limit(0); - @readfile($filename) or die("File not found."); - - // Done - return TRUE; -} - - - -?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/fusionpbx/fusionpbx/commit/9482d9ee0e4287df21339be4276125e38e048951mitrex_refsource_MISC
- github.com/fusionpbx/fusionpbx/commit/9c61191049c949e01f99ea1fbab1feb44709e108mitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-path-traversal-2/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.