Summary

Allow download of any file from the server that freepbx has access to, while logged in to the web GUI with a user who has access to the Endpointman OSS module, if the module is installed and was previously used to export some of its related data (eg. using "Export Brand Packages" under its Advanced Settings) or a specific "export" directory was previously made on the filesystem in a specific location by some other process.

Details

Login to freepbx. Activate and use the OSS Endpoint Manager module to export some brand packages.
Then, if we use the following URL, modifying file_package with the path of the file to download, it would be enough:

http://server/admin/config.php?display=epm_advanced&subpage=manual_upload&command=export_brands_availables_file&file_package=../../../../../../../../etc/freepbx.conf

Problem file and line:

https://github.com/FreePBX-ContributedModules/endpointman/blob/7ee3571fad7a067e0d1beaeb5e5a0a16b6da55fa/Endpointman_Advanced.class.php#L1054

Fix:

$dget['file_package'] = basename($_REQUEST['file_package']);
$path_tmp_file = $this->PHONE_MODULES_PATH."/temp/export/".$dget['file_package'];

PoC

Install Module Endpointman OSS and activate it and export a brand.

Impact

Security data leak and affects all systems that have the module installed and were used to Export a Brand Package. The affected version of the module as published in FreePBX-ContributedModules repo is installable on FreePBX v14 and v15, but not v16 nor v17 due to PHP version changes; however, forks of the module with this bug are known to be out in the wild, and so this issue may affect your system.

Patch to Fix

If you are on FreePBX v14 or v15, you can upgrade to OSS endpointmain version 14.0.4 at https://github.com/FreePBX-ContributedModules/endpointman
Other versions - please contact your fork maintainer.