# Exploit Title: DirectAdmin v1.680 DOM Injection via return-to Parameter (UI Misrepresentation) # Exploit Author: Scott Sturrock 'ssturrock -at- protonmail -dot- com' # Vendor Homepage: https://www.directadmin.com/ # Software Link: https://www.directadmin.com/download/ # Version: DirectAdmin v1.680 and earlier # CVE: CVE-2025-56551 DirectAdmin v1.680 is vulnerable to user interface manipulation via injection into the return-to parameter on the Evolution login page. The application reflects user-supplied values from the return-to query string directly into the visible DOM without sanitisation, escaping, or length limits. This allows an attacker to inject large volumes of visible text into the login interface and displace legitimate UI elements such as the username and password fields entirely off-screen. Steps to reproduce: 1. Navigate to: https://target-host:2222/evo/login?return-to=/ 2. Append a crafted payload after the slash, such as: https://target-host:2222/evo/login?return-to=/--------------------------------------------------<payload> 3. Use a percent-encoded payload consisting of: Dozens or hundreds of hyphens (`-`) or <br> equivalents Percent-encoded content (e.g. %73%75%73%70%65%6e%64 etc) simulating a warning message or phishing-style text 4. When rendered, the application displays the attacker’s message inline with the login interface, while pushing the original login form out of the viewport, preventing user interaction. Impact: The legitimate login fields are no longer visible Victims are presented with attacker-controlled interface content Creates an opportunity for phishing or credential theft Content may be indexed or archived by search engines resulting in reputational or SEO-related harm No authentication is required to perform the attack it is triggered via a GET request Proof of concept: https://i.imgur.com/qA6SAXO.png https://i.imgur.com/4HF0cnP.png CWE: CWE-451: User Interface (UI) Misrepresentation of Critical Information