Direct Admin vulnerability - DA Control Panel

hostpc.com

hostpc.com

Verified User
Joined
Aug 2, 2003
Messages
1,054
Location
Schenectady, NY
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:[email protected]>
List-Help: <mailto:[email protected]>
List-Unsubscribe: <mailto:[email protected]>
List-Subscribe: <mailto:[email protected]>
Delivered-To: mailing list [email protected]
Delivered-To: moderator for [email protected]
Received: (qmail 1056 invoked from network); 27 Apr 2006 04:29:11 -0000
Date: 27 Apr 2006 04:29:05 -0000

#'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
#Aria-Security.net Advisory
#Discovered by: O.U.T.L.A.W
#[email protected]
#Gr33t to:A.u.r.a & R@1D3N & Cl0wn & Dtrap
#'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
? Software: DirectAdmin
? Support Website: http://www.Directadmin.com
? advisory:http://www.aria-security.net/advisory/hm/directadmin.txt
? Summary: DirectAdmin Is A Hosting Managment System
? Tested On: http://www.directadmin.com/demo.html

? Proof of Concept:
LOCAL XSS attack:
http://www.directadmin.com:2222/HTM_PASSWD?domain=".><script>alert(document.cookie)</script><!--


?Solution:
 
The so-called "proof of concept" example doesn't do squat far as I see. Nor does it on my server.
 
It does do something, the 'alert' works (see here).
What I'm not sure of is how much of a security threat this really is.
As far as I can tell it only works if you're already logged into the server.
 
I tested that on http://www.directadmin.com/demo.html as you can see in the url. I don't know what OS is installed on the DA server.
 
sorry, still doesn't do it for me. Tried it again on my servers as well, both logged in and not..and I even turned off my popup blocker...nothing.
 
Hello,

But... how is this a "vulnerability" ?

Yes you can insert anything you want for the token, but then nothing works ;) Your domain is no longer valid. I did get the popup, but what's the problem? Tokens are using to setup your html to prepare things like forms on your end. Only the form submittion will actually *do* anything. If you pass an invalid domain during a form submittion, DA will whine, no worries there ;)

It's not a bug, it's how it's designed.
Users are free to break their forms if they want, but that really serves no purpose ;)

John
 
I was wondering about the same thing. How would this constitute a security risk? Especially since it appears that you need to be logged in in the first place to get the popup. If you're logged in than you apparently already have access to the server. But I don't think this could be used to bypass the username/password authentication...

The person who 'discovered' this did mention an email address. Maybe someone could contact him to ask how he thinks this could be exploited, if that is even possible...
 
I think that's why it's just a "local" attack (you'd be attacking yourself)..there isn't anything server side that can be hurt. It just changes the forms, which is duly noted, but known. You can just as easly create your own html at home, login to DA, and try to submit whatever you wrote (Assuming your browser maintains the cookies). Point being, only forms that are submitted really matter. Same thing with the API.. they're just form POSTs.. they don't even have forms to be messed up. Forms for the api are nothing but php scripts created by their author. Put it this way.. DA is a tool that accepts form posts. The skins are just a luxury that saves you from writing out what you want by hand ;)

John
 
Thanks, John. I thought this as well, but it's always better to read it from you.

:)

Jeff
 
FYI, someone decided to report this same issue for a 3rd time to securityfocus, so I've decided to add some basic filters to stop people from re-reporting the same thing over and over.. which in turn will also stop people from passing scripts between pages (sorry if you use that as a feature, but you probably shouldn't be anyway)
http://www.directadmin.com/features.php?id=755

John
 
You must log in or register to reply here.
Back
Top