AOH :: HP Unsorted D :: TB10190.HTM

DirectAdmin persistant XSS
DirectAdmin persistant XSS
DirectAdmin persistant XSS

+ Subject:
DirectAdmin persistant XSS [takeover an Administrator`s account]

+ Version:
< DirectAdmin 1.29.3

+ Discovered by:

+ DirectAdmin Description:
DirectAdmin is a popular, advanced Web Control Panel with many features 
for webhosting. 

+ Persistant XSS Description:
It is possible to take over an Administrator`s account by injecting 
persistent XSS data to the System Logs [/var/log/*].
When DirectAdmin's Administrator goes to Admin Tools/Log Viewer and press 
"Show log" to display logs - he can be a victim of XSS attack and his 
session can be easily taken over - which means that it is possible to run 
any command with DirectAdmin's Administrator priviliges.

I found out that 7 from 15 log files in the menu, could be used as means 
of injecting XSS to a system with no login credentials required.
Next 3 of them are possible to be injected when you are logged as a valid 
user in the DirectAdmin.

I was testing DirectAdmin on default Debian 4.0 installation but in 
general it should be working for other platforms too (with small changes I 


I) Examples of an attack without login credentials:

Log file: /var/log/exim/rejectlog, /var/log/exim/mainlog

Data is sent to IP with DirectAdmin to port 25:

Lines in log files:
mainlog: 2007-03-23 19:24:49 [] rejected 
rejectlog: 2007-03-23 19:24:49 [] rejected 

Log file: /var/log/proftpd/auth.log

Data is sent to IP with DirectAdmin to port 21:

Lines in log files:
auth.log:ProFTPd [28114] [23/Mar/2007:19:29:26 +0100] 
"USER " 331

Log file: /var/log/httpd/error_log

Data is sent to IP with DirectAdmin to port 80:
GET / 

Lines in log files:
error_log:[Fri Mar 23 19:33:37 2007] [error] [client] 
request failed: erroneous characters after protocol string: GET / 

Log file: /var/log/httpd/access_Log

Data is sent to "free (not attached to any user)" IP to port 80 (using 
wget IP 

Lines in log files:
access_log: - - [23/Mar/2007:19:36:46 +0100] "GET / 
HTTP/1.0" 200 2673 "-" 

Log file: /var/log/directadmin/error.log

Data is sent to first DirectAdmin login page:

password: any (not empty)

Lines in log files:
error.log:2007:03:23-19:39:44: Auth::passValid: unable to get user_info 

Log file: /var/log/directadmin/security.log

Data is sent to first DirectAdmin login page:

Lines in log files:
security.log:2007:03:23-19:39:44: *** has tried to login 
with an invalid username: 
'' ***

II) Examples of an attack with login credentials:

Log file: /var/log/directadmin/security.log
Via WWW: 

Via ftp login: lftp login@directadmin:/> get 

Log file: /var/log/messages
via php: ""'); 

Log file: /var/log/messages
via ssh: /usr/bin/logger 

2007.02.25 bug discovered
2007.03.00 bug tested
2007.03.23 bug sent via Technical Support mail from 
2007.03.24 fast response after few hours from DirectAdmin : Thanks for the report. Fix will be out within a few hours with DA 1.29.3
2007.03.24 DirectAdmin 1.29.3 Patched - Overview : use html characters for log viewer, Description: Ensure all charcters are html encoded when viewing logs through the log viewer.

Original Advisory: 

[+] You can take our lives,but you will never take our Freedom - W.Wallace
[+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama
[+] Revolution the only solution - System of a down...
[+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0
[-] Kanedaaa... Bohateur... Cucumber Team Member... 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to