Security Update for ASTPP – Important Fix Released!

Dear ASTPP Community,

ASTPP has always been an open-source project, built with passion and driven by a strong community. Over the years, we have worked tirelessly to improve its security and stability, ensuring that businesses and developers worldwide can rely on it.

We recently discovered a critical security vulnerability in the ASTPP community edition. While a community patch was shared, it does not fully resolve the issue, break the existing feature and may leave systems vulnerable. Our team has developed a fully tested and verified security patch, which will be released tomorrow morning.

However, maintaining and improving ASTPP - especially in terms of security - requires dedicated developer time and resources. Until now, we have provided all updates completely for free, but as the project grows, we face increasing challenges in sustaining this model.

New Security & Maintenance Plan

To ensure ASTPP remains secure and sustainable, we are introducing a Security & Maintenance Plan for community users who need priority access to security updates.

What does this mean for you?

Enterprise users are already secured with the patch if you have active support plan.

Community users You can pre-order the patch by purchasing a one-time patch for $99. Once the patch is fully verified, we will deliver it tomorrow morning and notify you via email.

You can directly place an order from [ASTPCUS] ASTPP Login Security Patch | Inextrix Technologies Pvt. Ltd..

If security is a priority for your business and you want to receive regular updates and ongoing support, we encourage you to subscribe to our Security & Maintenance Plan. Our team is happy to assist you - feel free to reach out at Contact us - Open Source VoIP Billing Solution - ASTPP.

The patch will be released for free to all community users after 30 days to ensure fairness and maintain our open-source values.

Why Are We Doing This?
Many community users only reach out to us when they need urgent security fixes, but there is no revenue to support continuous development. By introducing this model, we can:

→ Fund ongoing security research & fixes
→ Fairly compensate developers working on ASTPP
→ Ensure long-term sustainability without depending solely on enterprise clients

This approach ensures that ASTPP remains open-source and accessible while allowing us to sustain its development.

We appreciate your support and feedback as we take this step to make ASTPP more secure and sustainable for the future.

Thank you for being part of the ASTPP community!

Best Regards,
Samir Doshi

Then you should do as I suggested before, sell some commercial modules for the community version like which was done with version 3.

Maybe even start a market place where others can sell their own commercial modules where you can take a cut of the sales. This would add more value to ASTPP.

However on the other hand, bad security tarnishes your reputation

Commenting out the “relogin function” fixes the vulnerability 100%, so I can wait 30 days if I have to. However, instead of charging us, you should thank the open source community for discovering this major security issue. If @knerd and @dcitelecom hadn’t discovered this breach, thousands of ASTPP servers could have been compromised, even Enterprise servers. I believe we saved you money by preventing irreparable harm to your business model.

Thanks @KNERD and @dcitelecom for your active involvement to find out the issue and help others quickly. Appriciate your efforts.

I have remove sensitive topic as hackers can easily get idea and harm other businesses.

PLEASE IF ANYONE GET SECURITY ISSUE WITH ASTPP, REPORT TO US IN PRIVATE IN PLACE OF FORUM.

OK but it’s impossible to find the issue without the help of others in the forum. Typically, first someone reports an issue, then a forum member steps up and asks for more info. As bits and pieces of information go back and forth, the issue is recognized and sometimes they find a solution. Asking people to report an open source project only to you is not feasible.

I understand that you had to remove the sensitive info but you should not have removed the fix we posted because this is open source software and people should not be required to buy the fix from you if they don’t want to.

I am talking about only security issues. That doesn’t make any sense to post sensitive security issue in forum and open the doors for the hackers to hack others system with that flaw.
The better idea would be report to ASTPP team first and if no action taken or no solution then we can involve other active community members and get that resolved.

Dear ASTPP Devs,

Are you serious that we need to pay for a fuckup you have caused? Seriously?

We were affected by this security issue and it caused us a damage of more than 10.000 USD! I will pay for the patch if you refund me the damage before we take legal action!

Hi MrSenser,

We understand that security issues can be frustrating, but let’s set the record straight:

1. ASTPP is an open-source project—you downloaded, installed, and managed it on your own, without any paid service or support from us.
2. Like all open-source software, security updates depend on community contributions and responsible maintenance by users.
3. If you run a critical system and depend on ASTPP, it’s your responsibility to ensure proper security measures, just like with any self-hosted software.

We are offering a paid Security & Maintenance Plan to provide timely fixes and ensure sustainability, but no one is forcing you to buy it. If you prefer, you can wait for the free release after 30 days or try to fix it yourself. That’s the freedom of open-source.

Blaming us for your losses is misplaced—we didn’t manage your system, nor did we force you to use ASTPP without security oversight. We encourage all users to take security seriously and plan accordingly.

If you’d like to discuss this further, feel free to reach out professionally. Otherwise, let’s keep the conversation constructive.

Hi @smrdoshi

Of course, security issues are frustrating. But honestly, this particular issue was something else entirely – it’s basically a 10 out of 10 in terms of vulnerability metrics. Instead of patching it immediately, you’re trying to profit from it. Sorry, but that honestly feels quite off.

I’m well-acquainted with the open-source world. I’m part of the Hestia Control Panel team, which is installed on over 65,000 servers. We’re also working hard to find sustainable monetization strategies for the project — it’s a common and well-known challenge in open source.

That said, from my point of view, trying to “make a bit of money” off the back of such a severe security issue borders on blackmail. We also suffered damages in the range of $500–600. I’m fully aware that we can’t take legal action — it is an open-source project, and there are no warranties. But the way you’re handling this is simply poor form.

Maybe it would have made more sense to include at least a donation button. I couldn’t find one on the GitHub project page or in the backend itself — and that alone could probably bring in more support without risking your reputation.

Honestly, this feels like a textbook example of “how not to do it” — just my two cents.

That specific case was discovered thanks to the troubleshooting efforts of two forum members — that’s why it became public so quickly. Personally, I believe the “best practices” for communicating security issues are well established and widely known.

P.S.: Looks like your caps lock key might have gotten stuck there.

Sometimes your team is slow to respond. And with the ability to private message others on the forum disabled, we are forced to post sensitive information publicly. Maybe it would make more sense to enable the ability to send private message to others.

With all due respect, I don’t believe we acted wrong by posting on the forum. The issue was first discovered Tuesday morning EST when your team is not available.

I had already lost $500 was not going to wait until someone got back to me the next day. I needed help right away, and thankfully @knerd replied (thanks). Once we knew what was happening, we immediately contacted Inextrix to advise you of the issue. By the evening of the same day, we even had a choice of 2 temporary fixes available, which you took down in the forum and on Github so now everyone has to buy your fix.

With open source software, the first step is always to reach out for assistance in the forum instead of asking for help from paid support. The whole point of open source is that it’s OPEN i.e. visible for everyone to help modify and fortify the code.

I don’t have a problem with Inextrix charging money to provide a fix. Pay us for our time and get the fix now, or wait 30 days to get it for free is a money-grab, but acceptable.

However, what is NOT acceptable is that Inextrix actively removed our open-source, temporary fix from Github and this forum, which would have allowed users to wait the 30 days. Even if it wasn’t a perfect fix, at least it was available, and with time, the open-source community could have contributed towards improving the code. By removing all traces of this temporary fix, Inextrix did not act properly.

The good thing at github, nothing is “away”: Modified for login.php security flaw. by tcreek · Pull Request #727 · iNextrix/ASTPP · GitHub

Reason #101 why everything should be posted on Github.

I understand that a community member posted a vulnerability that allows unauthorized access to the admin panel, and to prevent further exploitation of this vulnerability, it was removed from the forum.

I’m asking, does this pull request help prevent this issue in any way?

The one there on GitHub disallows the admin from logging in, but not users.

I’m running a lot of systems, about 5 servers for outbound termination. we never got hacked on these systems except for ASTPP, where we have been hacked already 3 times with a loss of almost $3500

I have implemented whitelisted IP access for then. There are no hack issues, I recommend. I everybody if you don’t need to have public access get it firewalls until things are playing out.

@smrdoshi %100 I think this is the only way to make money today from open source!
(Or get lower with pressing for Yearly Enterprise)

Just out of curiosity. Which 5 VoIP billing systems do you run besides ASTPP?