DirectAdmin 1.50.1 has been released

[Richard G]

I agree, "preferably" is not "do not post here".

it's typically best to notify the coder of a security issue first

Ofcourse this is the correct way if it's not public yet, but in this case the issue was already released to the public. Since it's out there already, I agree having DA users warned about this too is a good thing.

 

[DirectAdmin Support]

Luckily, pretty much all XSS reports are essentially a zero threat because of this:
https://help.directadmin.com/item.php?id=619

So I'll add a fix, but as long as you've got check_referer=1 turned on, which it is by default, the only threat is that you can create pop-ups in your own browser.
The "cross" part of cross-site-scripting doesn't apply with check_referer=1, meaning a malicious external site has no effect on things, essentially nullifying the threat.
I'd still classify it as a bug though.

https://www.directadmin.com/features.php?id=1913

available in pre-release in about 20 minutes.

John

 

[Richard G]

Thank you John!

 

[Invader Zim]

available in pre-release in about 20 minutes.

John

Well done, sir.

 

[irist]

3 bug in directadmin 1.50.1 by iedb.ir

3 security bugs discovered and has been registered by the security team iedb.ir
Please panel maximize security in future versions.
Do that Public Private not a bug.
link :
http://iedb.ir/exploits-6582.html
http://iedb.ir/exploits-6523.html
http://iedb.ir/exploits-6517.html
It is for information only.
Amir me, I iedb.ir security team manager.