DirectAdmin 1.50.1 has been released

I agree, "preferably" is not "do not post here".
it's typically best to notify the coder of a security issue first
Ofcourse this is the correct way if it's not public yet, but in this case the issue was already released to the public. Since it's out there already, I agree having DA users warned about this too is a good thing.
 
Luckily, pretty much all XSS reports are essentially a zero threat because of this:
https://help.directadmin.com/item.php?id=619

So I'll add a fix, but as long as you've got check_referer=1 turned on, which it is by default, the only threat is that you can create pop-ups in your own browser.
The "cross" part of cross-site-scripting doesn't apply with check_referer=1, meaning a malicious external site has no effect on things, essentially nullifying the threat.
I'd still classify it as a bug though.

https://www.directadmin.com/features.php?id=1913

available in pre-release in about 20 minutes.

John
 
Back
Top