DirectAdmin 1.48.3 has been released

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,905
Hello,

DirectAdmin 1.48.3 has been released.
This is a bugfix release to address session cookies on FreeBSD, as well as a missing newline when multiple cacerts are used.
http://www.directadmin.com/versions.php?version=1.483000

Sorry for all the releases! :)

If you are affected by the session expiry issue and cannot login to DA, update it from ssh like this:
Code:
cd /usr/local/directadmin
echo "action=update&value=program" >> data/task.queue; ./dataskq d2000
and when done, confirm you've got 1.48.3:
Code:
./directadmin v
John
 

kevinb

Verified User
Joined
Jul 27, 2006
Messages
93

r3chn3r

Verified User
Joined
Jan 13, 2013
Messages
103
Yea John, I agree completely with Kevin. You won't have to hear me complain. I'm a very happy DA customer as well.
 

Mehdi Tamaddon

Verified User
Joined
Nov 14, 2014
Messages
38
Location
Iran, The Land of Persia
Hello,

Thank you for bug fix.
But I have a suggestion:

create easy way for beta upgrade( EX. from DA admin level) + wait 7 days before sending out stable version.
Regards.(sorry for bad English)
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,905
DA has a refererer header check, to cross site attacks are not really possible.
The reporter likely was "attacking himself", so the check passed, but if an external site does it, then it would get blocked.

Just make sure this is on, and it wouldn't be an issue:
http://www.directadmin.com/features.php?id=1050

Code:
cd /usr/local/directadmin
./directadmin c |grep referer_check
it should be set to 1 by default.

I'll still go over each entry to make sure, but ever since we added the id=1050 check_referer, all XSS attack reports have been false.

John
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,905
The fact that one of the forms has this supports my theory that they were doing a local attack, not an "external site":
Code:
[COLOR=#000000][FONT=Consolas]<form name=info action="CMD_EMAIL_FORWARDER" method="post">
[/FONT][/COLOR]so I don't see any reason their report has any credibility.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,905
Just tested a few and they fail, so it's a false report:
Code:
[root@server public_html]# tail /var/log/directadmin/error.log
2015:09:08-15:25:22: Referer port (80) does not match DA's (2222): http://testdomain.com/exploit.html
2015:09:08-15:25:22: Referer check failed for 1.2.3.4
Where the port is just one of the checks that are done.
There is also the hostname which has to match.

So the only way an "XSS" attack is possible is if they manage to hack a DA skin to add their XSS form, which would imply they already have root access, which means you've got bigger problems (they got in some other way).

Anyway, again, the report is false, but thanks for the report.

John
 
Top