security issue with 3cx windows client install

Status
Not open for further replies.

conan.chiles

Forum User
Joined
Mar 14, 2019
Messages
2
Reaction score
0
Hi,
Just noticed a few things with the 3cx windows client

end user receives the welcome email, subject line: "Welcome to 3CX: Extension xxxx"
which includes links to download the client

address:
"http://downloads-global.3cx.com/downloads/3CXPhoneforWindows15.msi"

that should be a HTTPS link, and the web server should also redirect HTTP to HTTPS.

same for the Mac link
"http://downloads-global.3cx.com/downloads/3CXPhoneForMac15.dmg"


the MSI installs the client to the following location
"C:\ProgramData\3CXPhone for Windows\"

with an ACL that grants "everyone" full control.

and adds a link to "C:\ProgramData\3CXPhone for Windows\PhoneApp\3CXWin8Phone.exe" in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

so we have an issue where non admin privileged user can write to something that runs on login for all users on that computer
 

Attachments

  • 3cx.png
    3cx.png
    65 KB · Views: 14

CBX

Forum User
Joined
Mar 28, 2019
Messages
34
Reaction score
7
The same was reported before. I'm curious what the response is this time - if any.
 

NickD_3CX

Community Manager
3CX Support
Silver Partner
Advanced Certified
Joined
Jun 2, 2014
Messages
5,584
Reaction score
1,978
Regarding the download links, we already plan to changing them to HTTPS. You can of course in the meantime go and change them yourself. Management Console --> Settings --> Email --> Email Template and select the "Extension Welcome" from the drop-down.

While the 3CX App executable and source files are common for all users in the ProgramData folder, the user acount information is in the AppData folder of each user, which is not accessible by all users.
This was done for convenience, as updating the app when an update s available would only need to be done once.
There is of course the case of a internal "threat" where a user could replace the .exe with something malicious.
If you have this concern, I can understand, but I have a suggestion: use the WebClient
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Members Online Now

Forum statistics

Threads
92,044
Messages
474,630
Members
134,989
Latest member
Digihelp
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.