Serious leak!

[thijssie]

Hi,

See this post:

Ernstig beveiligingslek ontdekt in directadmin

Hoi, zie onderwerp. Ik ga niet zeggen hoe of iedereen hier is in gevaar. Getest met verschillende ips, os'en, mac-adressen, geen credentials nodig maa

www.sitedeals.nl

Translation:
Hi, see topic.

I'm not going to say how or everyone here is at risk. Tested with different ips, os, mac addresses, no credentials needed, but 1 cookie. I have set up a POC with DirectAdmin friend and unfortunately it works perfectly.

Theoretical consequences:
- If I post a link with a site here, I have each visitor's files from all websites, including the credentials and domain of all databases.
- I could have Adsense codes changed by mine every time they are updated
- General damage / trolling / defacing websites
- Sell user data
- Steal credit card data from customers web shops

In short: even though I need a simple cookie, this is major. [removed, gives experts a clue].

How do I report this? It's very easy to fix yet. They do have 10 things they need to improve. How can they not know this? Are they still active, are they still doing patches? I'm talking about the File Manager of DirectAdmin, so mss not theirs, so nothing against DA itself. But also best to report to DA?

Can I ask for a small compensation for reporting this? I am honest and I also have to earn a living.

Greetings

Niels

--

Can you get started with this!

 

[k1l0b1t]

Did you contact directadmin itself allready? You should do that first if you did not allready.

 

[kristian]

Considering this is mainly a community forum, it is not the best place to bring up security issues in the hopes that they will be picked up by the developers. I suggest you send an email to [email protected] instead.

 

[thijssie]

I dont the writer of that post, but i read it. So i just post it here.

 

[Richard G]

Yes, but you could reply to the topic that he can contact [email protected] to point out the security issue.

 

[Arieh]

At this point any of us could have notified staff since we all have read the same info by now. That's why I just send the e-mail to [email protected] linking this topic.

(And I see someone already suggested to contact support on the sitedeals topic.)

 

[Richard G]

Yep that suggestion was made by me over there. I put it there because it was best the original poster would send it to them. The author has the proper procedure on how to reproduce it, which Thijssie does not have.

 

[DirectAdmin Support]

See this post:

Ernstig beveiligingslek ontdekt in directadmin

Hoi, zie onderwerp. Ik ga niet zeggen hoe of iedereen hier is in gevaar. Getest met verschillende ips, os'en, mac-adressen, geen credentials nodig maa

www.sitedeals.nl

Hello,

Please have Niels contact us at [email protected]. We do offer compensation if the threat is valid.
We're not currently aware of any issues, and this is often the confusion:

https://help.directadmin.com/item.php?id=619

However, we do appreciate the report, especially if unsure, so as to close any possible holes, real or not.

The comment "I need a simple cookie" may imply that the attacker requires a copy of the cookie from the victim's browser, but I can't see how anyone could predict that unless provided to them directly.
We do include the "secure" flag with https cookie: https://www.directadmin.com/features.php?id=955
and HttpOnly is always included.

Either way, I'll be happy to take a look, we just need the info!
support@

Thanks,
John