# Exploit Title: DirectAdmin v1.680 DOM Injection via return-to Parameter (UI Misrepresentation)
# Exploit Author: Scott Sturrock 'ssturrock -at- protonmail -dot- com'
# Vendor Homepage: https://www.directadmin.com/
# Software Link: https://www.directadmin.com/download/
# Version: DirectAdmin v1.680 and earlier
# CVE: CVE-2025-56551
DirectAdmin v1.680 is vulnerable to user interface manipulation via injection into the return-to parameter on the Evolution login page. The application reflects user-supplied values from the return-to query string directly into the visible DOM without sanitisation, escaping, or length limits. This allows an attacker to inject large volumes of visible text into the login interface and displace legitimate UI elements such as the username and password fields entirely off-screen.
Steps to reproduce:
1. Navigate to:
https://target-host:2222/evo/login?return-to=/
2. Append a crafted payload after the slash, such as:
https://target-host:2222/evo/login?return-to=/--------------------------------------------------<payload>
3. Use a percent-encoded payload consisting of:
Dozens or hundreds of hyphens (`-`) or <br> equivalents
Percent-encoded content (e.g. %73%75%73%70%65%6e%64 etc) simulating a warning message or phishing-style text
4. When rendered, the application displays the attacker’s message inline with the login interface, while pushing the original login form out of the viewport, preventing user interaction.
Impact:
The legitimate login fields are no longer visible
Victims are presented with attacker-controlled interface content
Creates an opportunity for phishing or credential theft
Content may be indexed or archived by search engines resulting in reputational or SEO-related harm
No authentication is required to perform the attack it is triggered via a GET request
Proof of concept:
https://i.imgur.com/qA6SAXO.png
https://i.imgur.com/4HF0cnP.png
CWE:
CWE-451: User Interface (UI) Misrepresentation of Critical Information