Results 1 to 8 of 8

Thread: DirectAdmin 1.48.3 has been released

  1. #1

    DirectAdmin 1.48.3 has been released

    Hello,

    DirectAdmin 1.48.3 has been released.
    This is a bugfix release to address session cookies on FreeBSD, as well as a missing newline when multiple cacerts are used.
    http://www.directadmin.com/versions....rsion=1.483000

    Sorry for all the releases!

    If you are affected by the session expiry issue and cannot login to DA, update it from ssh like this:
    Code:
    cd /usr/local/directadmin
    echo "action=update&value=program" >> data/task.queue; ./dataskq d2000
    and when done, confirm you've got 1.48.3:
    Code:
    ./directadmin v
    John

  2. #2
    Join Date
    Jul 2006
    Posts
    93
    John,

    I appreciate these quick releases. A bug being fixed in under 24 hours, on a weekend is awesome

    A happy DA customer.

    Kevin

    Quote Originally Posted by DirectAdmin Support View Post
    Hello,

    DirectAdmin 1.48.3 has been released.
    This is a bugfix release to address session cookies on FreeBSD, as well as a missing newline when multiple cacerts are used.
    http://www.directadmin.com/versions....rsion=1.483000

    Sorry for all the releases!

    John

  3. #3
    Join Date
    Jan 2013
    Posts
    103
    Yea John, I agree completely with Kevin. You won't have to hear me complain. I'm a very happy DA customer as well.

  4. #4
    Join Date
    Nov 2014
    Location
    Iran, The Land of Persia
    Posts
    38
    Hello,

    Thank you for bug fix.
    But I have a suggestion:

    create easy way for beta upgrade( EX. from DA admin level) + wait 7 days before sending out stable version.
    Regards.(sorry for bad English)

  5. #5
    Join Date
    Oct 2009
    Posts
    34

  6. #6
    DA has a refererer header check, to cross site attacks are not really possible.
    The reporter likely was "attacking himself", so the check passed, but if an external site does it, then it would get blocked.

    Just make sure this is on, and it wouldn't be an issue:
    http://www.directadmin.com/features.php?id=1050

    Code:
    cd /usr/local/directadmin
    ./directadmin c |grep referer_check
    it should be set to 1 by default.

    I'll still go over each entry to make sure, but ever since we added the id=1050 check_referer, all XSS attack reports have been false.

    John

  7. #7
    The fact that one of the forms has this supports my theory that they were doing a local attack, not an "external site":
    Code:
    <form name=info action="CMD_EMAIL_FORWARDER" method="post">
    so I don't see any reason their report has any credibility.

  8. #8
    Just tested a few and they fail, so it's a false report:
    Code:
    [root@server public_html]# tail /var/log/directadmin/error.log
    2015:09:08-15:25:22: Referer port (80) does not match DA's (2222): http://testdomain.com/exploit.html
    2015:09:08-15:25:22: Referer check failed for 1.2.3.4
    Where the port is just one of the checks that are done.
    There is also the hostname which has to match.

    So the only way an "XSS" attack is possible is if they manage to hack a DA skin to add their XSS form, which would imply they already have root access, which means you've got bigger problems (they got in some other way).

    Anyway, again, the report is false, but thanks for the report.

    John

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •