AllTune2 PoC Index

AllTune2 Security PoC Index

Confirmed failures and fixes (local/test use only)

Confirmed failures

Critical Unauthenticated privileged control

Affected endpoint: /alltune2/api/connect.php
Why it matters: triggers privileged host actions (Asterisk/DVSwitch control and service restart) without an auth gate.
Impact: remote disruption/control of the node by anyone who can reach the web app.

High No CSRF protection on state changes

Affected endpoints: /alltune2/api/connect.php, /alltune2/public/favorites.php
Impact: a malicious web page can cause a browser to submit actions to these endpoints (especially bad when combined with missing auth).

Medium Unauthenticated favorites modification

Affected endpoint: /alltune2/public/favorites.php
Impact: attacker can add/alter shared favorites entries (integrity/ops confusion).

Safety warning

Running the PoCs with --do performs real actions (disconnects, restarts, DTMF, writes to favorites). Run only on systems you own and preferably a test node.

PoCs

Unauthenticated privileged control PoC (Ruby)

Calls /api/connect.php without authentication (e.g., disconnect_all, send_dtmf).

File: unauth_connect_api_poc.rb
Unauthenticated favorites write PoC (Ruby)

POSTs directly to /public/favorites.php to create/modify favorites without auth/CSRF.

File: unauth_favorites_write_poc.rb

Run commands

Replace http://127.0.0.1/alltune2 with your test node base URL.

# Dry-run (prints request; does not send)
ruby poc/unauth_connect_api_poc.rb http://127.0.0.1/alltune2 disconnect_all

# Execute (sends request; performs real action)
ruby poc/unauth_connect_api_poc.rb http://127.0.0.1/alltune2 disconnect_all --do

# Execute DTMF (real action)
ruby poc/unauth_connect_api_poc.rb http://127.0.0.1/alltune2 send_dtmf --dtmf="*70" --do

# Execute favorites write (real write)
ruby poc/unauth_favorites_write_poc.rb http://127.0.0.1/alltune2 --target=12345 --name="owned" --do

Suggested fixes (priority order)

Put an auth gate in front of all of /alltune2/ (Apache auth, VPN-only access, or app-level login + authorization checks).
Network restrict: bind to LAN only, firewall, and do not expose to the public internet.
Add CSRF defenses for every state-changing POST: CSRF token + Origin/Referer validation + session cookie SameSite.
Harden sessions: set cookie flags before session_start() (HttpOnly, Secure when HTTPS, SameSite=Lax/Strict).
Reduce sudo surface: prefer a small root-owned helper/daemon with a strict allowlist instead of broad sudo execution from PHP.
Logging/alerting: log caller IP + action + outcome for all state changes.

This page is informational. The PoCs live in alltune2/ and should be executed from the CLI.