DirectAdmin v1.34.0 XSRF Create Administrator Vulnerability

I've tried with DA 1.34.4 and wasn't able to exploit it. The only differences were that I was running it on https and on a different port (but I guess this doesn't matter)
 
I agree, https and different port seems irrelevant.
It is probable that DA 1.34.0 was vulnarable, and it was fixed later.
In any case, I'd upgrade to latest version, if I run DA 1.34.0.
 
After looking into it, I have found that it can be theoretically possible to create an account remotely, however there are many conditions that must be true for it to happen, the attacker would have to know a few specifics. I won't get into too much detail on it here, but I've added a fix for the next release:
http://www.directadmin.com/features.php?id=1050

The main tip I can give you right now, is that if you're done using your DA, don't forget to click "Logout".

I have not released 1.34.5 yet due to the low-level nature of the fix and the potential for it to break the ability to use DA.

I would encourage anyone who wants the fix now who are willing to test it, to grab the latest pre-release binaries from their clients section

Note that if there are any issues, you can always fall-back to the current production binaries. Don't forget to let me know if you have issues with these pre-release binaries so I can address it.

I'll be making a full production release once the testing is complete (likely a few days)

John
 
So it seems that this exploit is applicable if you stay logged into the direct admin interface, then visit a malicious site that manages to run a request to your browser to perform a direct admin function.

So kind of a unlikely event? but something to get fixed at the next release.
 
Correct. Also, the "attacker" would have to know the exact value you used to login with. If you used domain.com, and he has www.domain.com in his form, it won't work. I would say the odds are quite low, but the risks are still present, so I'll be making a release once this gets some testing under it's belt.

John
 
Hello, John.

What about something to automate DA upgrade? Is there any script or workarround to upgrade DA if a new release is ready? Cause I think there are people that may have many, many servers.

Thanks.
 
You asked about updating DA automatically. Just run it as a cron job every day and if there is an update available then your DA will be updated. It may not be what you meant but it is what you asked.

What about something to automate DA upgrade? Is there any script or workarround to upgrade DA if a new release is ready?
Click to expand...
 
You must log in or register to reply here.
Back
Top