DA Exploit Disclosed

[hostpc.com]

#Aria-Security Team Advisory
#<www.Aria-security.Com For English >
#<www.Aria-Security.net For Persian >
#Original Advisory : http://aria-security.net/advisory/directadmin.txt
#-----------------------------------------------------------
#Software: DirectAdmin V1.28.1
#DirectAdmin level used : Admin level
#PoC:
http://target:2222/CMD_SHOW_RESELLER?userXSS
http://target:2222/CMD_SHOW_USER?user=XSS

#DirectAdmin level used : User Level
#PoC:
http://target:2222/CMD_TICKET_CREATE?TYPE=XSS
http://target:2222/CMD_EMAIL_FORWARDER_MODIFY?DOMAIN=demo.com&user=XSS
http://target:2222/CMD_TICKET?action=view&number=000000044&type=XSS
http://tareget:2222/CMD_EMAIL_VACATION_MODIFY?DOMAIN=demo.com&user=XSS
http://target:2222/CMD_EMAIL_LIST?action=view&DOMAIN=demo.com&name=XSS
http://target:2222/CMD_FTP_SHOW?DOMAIN=demo.com&user=XSS

#DirectAdmin level used : Reseller
http://target:2222/CMD_SHOW_USER?user=XSS
#
#P.S : Attacker must be authenticated
#
#Contact: [email protected]

 

[pucky]

What is being done about this?

 

[DirectAdmin Support]

Hello,

I've mentioned this many times... I don't consider any of those security issues. They mearly offer a user the ability to break his own forms and not do anything.

http://www.directadmin.com/forum/showthread.php?s=&threadid=15038&highlight=form+security
(related post is 2/3 the way down reloading to the other "advisory")

John

 

[hostpc.com]

true, what I'm trying to determine tho is if someone gets an account to be mailicious (stolen cc) - can it affect other sites...

 

[DirectAdmin Support]

if anyone finds any security issues with this, of course, let me know, but there shouldn't be any, it's designed that way

John

 

[nobaloney]

true, what I'm trying to determine tho is if someone gets an account to be mailicious (stolen cc) - can it affect other sites...

As you know you can set up PHP to be very insecure. Many of us are tempted to do so, because our clients want the insecurity of ease-of-use of old code.

Don't.

Jeff