Add new vulnerability module for CVE-2025-57819

[sankalp-b1401]

Proposed change

Your PR description goes here:

CVE-2025-57819 is a critical vulnerability (CVSS: 9.8) in Sangoma FreePBX Web GUI v. 15, 16, 17. It allows unauthenticated user to perform SQL injection via the endpoint manager module (due to improper input sanitization) and modify the user or cron_job DB, which can lead to RCE and even root-level privilege escalation.

Type of change

• New core framework functionality
• Bugfix (non-breaking change that fixes an issue)
• Code refactoring without any functionality changes
• New or existing module/payload change
• Documentation/localization improvement
• Test coverage improvement
• Dependency upgrade
• Other improvement (best practice, cleanup, optimization, etc)

Checklist

• I've followed the contributing guidelines
• I've digitally signed all my commits in this PR
• I've run make pre-commit and confirm it didn't generate any warnings/changes
• I've run make test and I confirm all tests passed locally
• I've added/updated any relevant documentation in the docs/ folder
• I've linked this PR with an open issue
• I've tested and verified that my code works as intended and resolves the issue as described
• I've attached screenshots demonstrating that my code works as intended (if applicable)
• I've checked all other open PRs to avoid submitting duplicate work
• I confirm that the code and comments in this PR are not direct unreviewed outputs of AI
• I confirm that I am the Sole Responsible Author for every line of code, comment, and design decision

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 37ead6ee-6cbb-4cfc-b8e5-7f9d2e66f9e5

📥 Commits

Reviewing files that changed from the base of the PR and between 5225b67 and bb64575.

📒 Files selected for processing (1)

• nettacker/modules/vuln/sangoma_freepbx_cve_2025_57819.yaml

✅ Files skipped from review due to trivial changes (1)

• nettacker/modules/vuln/sangoma_freepbx_cve_2025_57819.yaml

---

Summary by CodeRabbit

• New Features

  • Added a vulnerability check for CVE-2025-57819 targeting Sangoma FreePBX, with improved response validation to detect exploitation and extract identifying information.

• Documentation

  • Updated module documentation to include the new vulnerability check and brief usage guidance.

Walkthrough

Adds a new vulnerability YAML module sangoma_freepbx_cve_2025_57819_vuln and a single-line documentation entry in docs/Modules.md. The module performs an HTTP GET to /admin/ajax.php with a crafted brand parameter and regex checks that extract USER() from the response.

Changes

Cohort / File(s)	Summary
Documentation docs/Modules.md	Added a new "Vuln Modules" list entry for sangoma_freepbx_cve_2025_57819_vuln.
Vulnerability Module nettacker/modules/vuln/sangoma_freepbx_cve_2025_57819.yaml	New vuln definition: metadata and severity, single HTTP GET step to /admin/ajax.php using nettacker_fuzzer URL templates (http/https, ports 80/443), brand carries an SQLi XPATH payload, SSL verification disabled, response regex asserts XPATH error, related file marker, and captures USER().

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

new module

Suggested reviewers

• arkid15r
• securestep9

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the primary change: adding a new vulnerability scanning module for CVE-2025-57819.
Description check	✅ Passed	The description is directly related to the changeset, providing context about the CVE-2025-57819 vulnerability and demonstrating that the module has been tested and documented as required.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/Modules.md`:
- Line 164: The Scan Modules list in the docs is missing the new module; add an
entry for 'geoserver_version_scan' alongside the existing entries (e.g., the
line with '**sangoma_freepbx_cve_2025_57819_vuln**') so the documentation
reflects the new scan module added by this PR; update the Scan Modules section
to include '**geoserver_version_scan**' with a short description matching the
format of other entries.

In `@nettacker/modules/scan/geoserver_version.yaml`:
- Around line 6-7: Populate the info.reference field in geoserver_version.yaml
with at least one concrete URL pointing to a source for the Geoserver version
detection logic (for example an official Geoserver docs page, CVE reference, or
the blog/article you used). Edit the info block where "reference:" is currently
empty and add a valid HTTP(S) URL string so the module's provenance follows
Nettacker conventions and other HTTP modules' patterns.

In `@nettacker/modules/vuln/sangoma_freepbx_cve_2025_57819.yaml`:
- Around line 29-31: The User-Agent header uses the non-canonical templating "{{
user_agent }}" which differs from the project's canonical "{user_agent}"
placeholder; update the headers -> User-Agent value to use the single-brace
placeholder "{user_agent}" (no extra spaces or double braces) so it matches
other modules and prevents placeholder rendering inconsistencies.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e6d8058e-242c-44b0-8c67-148db74aa538

📥 Commits

Reviewing files that changed from the base of the PR and between d177207 and 755ad9f.

📒 Files selected for processing (3)

• docs/Modules.md
• nettacker/modules/scan/geoserver_version.yaml
• nettacker/modules/vuln/sangoma_freepbx_cve_2025_57819.yaml

[securestep9]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

♻️ Duplicate comments (1)

nettacker/modules/vuln/sangoma_freepbx_cve_2025_57819.yaml (1)

30-30: ⚠️ Potential issue | 🟠 Major

Use canonical User-Agent placeholder to restore runtime substitution.

Line 30 uses "{ user_agent }" (with spaces), which is rendered literally instead of being substituted. Please switch it back to "{user_agent}".

Suggested fix

-          User-Agent: "{ user_agent }"
+          User-Agent: "{user_agent}"

#!/bin/bash
# Verify placeholder style consistency and detect non-canonical spacing
# Expected:
# 1) Canonical form appears widely: "{user_agent}"
# 2) This file currently has "{ user_agent }" and should be corrected.

echo "== Canonical User-Agent placeholders in vuln modules =="
rg -nP --type=yaml 'User-Agent:\s*"\{user_agent\}"' nettacker/modules/vuln -C1

echo
echo "== Non-canonical spaced placeholder occurrences =="
rg -nP --type=yaml 'User-Agent:\s*"\{\s+user_agent\s+\}"' nettacker/modules/vuln -C1

Based on learnings: Every HTTP step should use headers.User-Agent: "{user_agent}" in Nettacker YAML modules.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/sangoma_freepbx_cve_2025_57819.yaml` at line 30,
Replace the non-canonical spaced User-Agent placeholder in the YAML payload so
runtime substitution works: change the header value from "{ user_agent }" to the
canonical "{user_agent}" in the headers.User-Agent entry (look for the
User-Agent line in the sangoma_freepbx_cve_2025_57819.yaml file).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@nettacker/modules/vuln/sangoma_freepbx_cve_2025_57819.yaml`:
- Line 30: Replace the non-canonical spaced User-Agent placeholder in the YAML
payload so runtime substitution works: change the header value from "{
user_agent }" to the canonical "{user_agent}" in the headers.User-Agent entry
(look for the User-Agent line in the sangoma_freepbx_cve_2025_57819.yaml file).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a2ed2561-0a33-4d1b-92b1-74efdd3c7978

📥 Commits

Reviewing files that changed from the base of the PR and between d177207 and 5225b67.

📒 Files selected for processing (2)

• docs/Modules.md
• nettacker/modules/vuln/sangoma_freepbx_cve_2025_57819.yaml