conan.chiles
Forum User
- Joined
- Mar 14, 2019
- Messages
- 2
- Reaction score
- 0
Hi,
Just noticed a few things with the 3cx windows client
end user receives the welcome email, subject line: "Welcome to 3CX: Extension xxxx"
which includes links to download the client
address:
"http://downloads-global.3cx.com/downloads/3CXPhoneforWindows15.msi"
that should be a HTTPS link, and the web server should also redirect HTTP to HTTPS.
same for the Mac link
"http://downloads-global.3cx.com/downloads/3CXPhoneForMac15.dmg"
the MSI installs the client to the following location
"C:\ProgramData\3CXPhone for Windows\"
with an ACL that grants "everyone" full control.
and adds a link to "C:\ProgramData\3CXPhone for Windows\PhoneApp\3CXWin8Phone.exe" in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
so we have an issue where non admin privileged user can write to something that runs on login for all users on that computer
Just noticed a few things with the 3cx windows client
end user receives the welcome email, subject line: "Welcome to 3CX: Extension xxxx"
which includes links to download the client
address:
"http://downloads-global.3cx.com/downloads/3CXPhoneforWindows15.msi"
that should be a HTTPS link, and the web server should also redirect HTTP to HTTPS.
same for the Mac link
"http://downloads-global.3cx.com/downloads/3CXPhoneForMac15.dmg"
the MSI installs the client to the following location
"C:\ProgramData\3CXPhone for Windows\"
with an ACL that grants "everyone" full control.
and adds a link to "C:\ProgramData\3CXPhone for Windows\PhoneApp\3CXWin8Phone.exe" in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
so we have an issue where non admin privileged user can write to something that runs on login for all users on that computer