Security Issue DA <= 1.33.6

S

Socrates

New member
Joined
Sep 22, 2008
Messages
4
Hi,

I've received a message that there is a security issue with DirectAdmin. I've looked through the forum but can't find an announcement of this (yet). Could someone please shed a light on the following security problem.

The website this was originally found is:
http://pridels-team.blogspot.com/2009/06/directadmin-v1336-xss-vuln.html

Excerpt from the blog posting:

DirectAdmin <= v1.33.6 XSS vuln.
###############################################
Vuln. discovered by : r0t
Date: 19 June 2009
vendor:http://www.directadmin.com/
affected versions:v1.33.6 and other
versions also can be affected.
###############################################

DirectAdmin contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "view" parameter in "CMD_REDIRECT" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
##############################################
live PoC:
http://www.directadmin.com:2222/CMD...script>alert(111);</script>=1&domain=demo.com
PS.
need to login:
demo_user:demo
###############################################
Solution:
Filter malicious characters and character sequences in a web proxy.
###############################################
 
It is a valid and relatively high security threat, but it can easely be avoided by using the DirectAdmin administration interface exclusively and by logging out whenever you surf on a different website.
I guess this will be fixed in the next release.
 
Hello,

Thanks for the report. This would be an issue if you were to unknowingly click a crafted link that someone else gives you. As tillo mentioned, just make sure you logout of DA when you're done using it.. and don't browse other sites while using DA. To exploit the issue, the attacker would have to get you to click a specific link while you're still logged into DA, so it would have to be a custom made attack tailored for you and your domain. I'll filter out those values for the table searches and release a new version of DA (along with the currently finished features that were stated for the next release), and the other features will be pushed to the version after.

John
 
Thank you John, using your software is always a pleasure.
If I ever encounter "r0t" I'll spit in his eye for not reporting to you before releasing the PoC.
 
Thanks for the fast replies. Input sanitizing is a bitch right :).

However, the idea of Direct Admin is that end-users (that is, my customers and owners of a website) use Direct Admin to maintain their sites. I cannot explain a cross site scripting bug to my end-users who are (usually) not tech-savy enough. I should also not have to tell them to use DA in a separate browser (certainly not in this day and age where users use tabs all the time).

Thanks again for the quick action on this bug, I'll be waiting for the updated version.
 
What you can (should) do is to prevent any problem related to XSS, CSRF and phishing: periodically suggest your customers to never click on a link found in an Email (or even a DA tickets system) message or external website pointing to one of his domains or any administration page known to him, but instead always write the "main" URI in the address bar and follow the trusted site links up to the wanted page.
 
Last edited:
Hi,

You should put session expire time to 5 - 10 minutes so if client don`t logout directadmin will remove session and login/password form will appear. So it would be hard to use this exploit.

I think 5 minutes is enough time for user to do his job and logout by himself or automatic removing the session.

Danijel,
 
You must log in or register to reply here.
Back
Top