Directadmin un-patched security vulnerabilities

S

Spark

Verified User
Joined
Aug 25, 2006
Messages
107
Why is it that Directadmin has not made any official announcements regarding the vulnerabilities it has?

Shouldnt you alert us when there is an exploit and you have patched it?

Or is it that our installs still have not been patched and you didnt know about them for the past couple years.

https://www.google.com/#hl=en&sclient=psy-ab&q=1337day.com+directadmin&oq=1337day.com


dont mean to start a flame here... just concerned with any software we use given the latest whmcs hack.
 
It is nonsense of you to post a Google search link, what answer do you expect? If there is a security vulnerability that you think is not patched, then please let us know - however do not post link to generic search result and expect us to check every single Google entry!

Edit: To answer your question: You should learn to read DirectAdmin changelog http://www.directadmin.com/versions.php?action=allversions - there is not any known security vulnerabilities, if you know of any, please send email to DirectAdmin support.
 
Last edited:
ditto said:
It is nonsense of you to post a Google search link, what answer do you expect? If there is a security vulnerability that you think is not patched, then please let us know - however do not post link to generic search result and expect us to check every single Google entry!

Edit: To answer your question: You should learn to read DirectAdmin changelog http://www.directadmin.com/versions.php?action=allversions - there is not any known security vulnerabilities, if you know of any, please send email to DirectAdmin support.
Click to expand...

All of those google results that returned are vulnerabilities and instructions with code on how to exploit them... I did check the release notes, and did not see Directadmin addressing any of them...

This concerned me because many of these are a couple years old... Hence my questions which you didnt answer so you are not helpful
 
ANy of these could very well be patched and DIrectadmin just did not make an official announcement, hence my questions
 
Check the first four links in the result... and by no means should you post the links directly... doing so would only give their web analaytics referrer data and they would know they were being linked to from these forums.
 
I looked at the first results from your link, and did not see any that is not patched. However you need to use the correct settings to secure your server and DirectAdmin. For example, on a shared hosting server, you should use harden-symlinks-patch: http://www.directadmin.com/forum/showthread.php?t=42332&p=214681#post214681

Again, if you think there is unpatched vulnerabilities you should contact DirectAdmin support on email and ask them. Of course, do not send them generic Google search result links, but send them definite/conrete vulnerabilities that you might think is unpatched. However, I do not think there exist any that is known.
 
Hello,

The bulk of the reports we get are false.

For example most of the XSS cross-site security issues are not actual security issues because of the referer header check, which prevents remote sites from affecting you.
The actual reported XSS check are always fixed, but they were never security issues in the first place (only works if the client attacks himself, which is pointless), eg:
http://www.directadmin.com/features.php?id=1050
This is why the people who report the issues do so... they are testing on themselves locally and don't take into account the security measures that are in place, which block external sites from doing the attack.
If they would have tested the attack from a remote page, they'd realize they attack doesn't work.

Any security related issue are flagged with "security" in the versions system.

When there is a security issue that needs immediate attention, we release DA with the fix right away, and include a "Security" section in the mailing list email.

Always ensure your copy of DA is up to date.

We recommend using custombuild to tell you when a new update is available (point #3)
http://help.directadmin.com/item.php?id=247

If you have any concerns about current reports, you can always email us and we'll tell you what we did to fix it.
If it's a new report, then we'll either fix it, or tell you why it isn't a valid report.

John
 
If you mean the first result, then John mentioned it (reffer header check). Also the first result doesn't mention a version
 
You must log in or register to reply here.
Back
Top