Synopsis: 3CX 6.0.806.0 is vulnerable to session hijacking, XSS, information disclosure and DoS. Background: "3CX Phone System for Windows is a software-based IP PBX that replaces traditional proprietary hardware PBX / PABX. 3CXs IP PBX has been developed specifically for Microsoft Windows and is based on the SIP standard making it easier to manage and allowing you to use any SIP phone (software or hardware)." Issue 1: By default 3CX does not run HTTPS allowing an attacker to sniff the administrators session ID and masquerade as the administrator and perform tasks on their behalf. Issue 2: XSS is possible in the fName and fPassword fields on the main login page for the console (login.php) Issue 3: If the drive in which 3CX is installed reaches 100% capacity the login.php page reveals the installation path to any user. Issue 4: Performing vulnerability scans (Nessus/SAINT) against a 3CX server causes the server to become unstable, crash and is non recoverable and must be reinstalled to use again. Time line: Discovered: August 5th 2008 Vendor notified: August 24th 2008 Vendor response: September 3rd, 2008 Vendor fix: November 2008 Chris Castaldo "An ounce of prevention is worth a pound of cure."