Vulnerability

Affected software: DirectAdmin versions below 1.60.2

There is a reflected XSS in DirectAdmin e-mail word filter (CMD_EMAIL_FILTER) "Block all e-mail containing the word" field and e-mail forwarder creation (CMD_EMAIL_FORWARDER) "Forwarder Name" field.

Exploit

For CMD_EMAIL_FILTER, when You enter word containing invalid characters in "Block all e-mail containing the word" field, HTML/JavaScript contained in invalid word will be executed in error message:

For CMD_EMAIL_FORWARDER, when You enter e-mail local part containing invalid characters in "Forwarder Name" field, HTML/JavaScript contained in invalid e-mail will be executed in error message:

Solution

Update DirectAdmin to version 1.60.2 or later. Configuration option check_referer, which is enabled by default for new installations since 1.34.5, should prevent exploitation.

Timeline

  • 2020-02-07 - Vulnerability reported to vendor.
  • 2020-02-07 - Response from vendor and fix in pre-release binaries.
  • 2020-02-08 - DirectAdmin version 1.60.2 released with vulnerability fixed.