ZSA-2020-2 - DirectAdmin reflected XSS in CMD_EMAIL_FILTER and CMD_EMAIL

Details: Created: 30 May 2020; Last Updated: 30 May 2020

Vulnerability

Affected software: DirectAdmin versions below 1.60.2

There is a reflected XSS in DirectAdmin e-mail word filter (CMD_EMAIL_FILTER) "Block all e-mail containing the word" field and e-mail forwarder creation (CMD_EMAIL_FORWARDER) "Forwarder Name" field.

Exploit

For CMD_EMAIL_FILTER, when You enter word containing invalid characters in "Block all e-mail containing the word" field, HTML/JavaScript contained in invalid word will be executed in error message:

For CMD_EMAIL_FORWARDER, when You enter e-mail local part containing invalid characters in "Forwarder Name" field, HTML/JavaScript contained in invalid e-mail will be executed in error message:

Solution

Update DirectAdmin to version 1.60.2 or later. Configuration option check_referer, which is enabled by default for new installations since 1.34.5, should prevent exploitation.

Timeline

2020-02-07 - Vulnerability reported to vendor.
2020-02-07 - Response from vendor and fix in pre-release binaries.
2020-02-08 - DirectAdmin version 1.60.2 released with vulnerability fixed.