Vulnerability
Affected software: DirectAdmin versions below 1.60.2
There is a reflected XSS in DirectAdmin e-mail word filter (CMD_EMAIL_FILTER) "Block all e-mail containing the word" field and e-mail forwarder creation (CMD_EMAIL_FORWARDER) "Forwarder Name" field.
Exploit
For CMD_EMAIL_FILTER, when You enter word containing invalid characters in "Block all e-mail containing the word" field, HTML/JavaScript contained in invalid word will be executed in error message:
For CMD_EMAIL_FORWARDER, when You enter e-mail local part containing invalid characters in "Forwarder Name" field, HTML/JavaScript contained in invalid e-mail will be executed in error message:
Solution
Update DirectAdmin to version 1.60.2 or later. Configuration option check_referer
, which is enabled by default for new installations since 1.34.5, should prevent exploitation.
Timeline
- 2020-02-07 - Vulnerability reported to vendor.
- 2020-02-07 - Response from vendor and fix in pre-release binaries.
- 2020-02-08 - DirectAdmin version 1.60.2 released with vulnerability fixed.