directadmin-xss.txt

2007-02-06T00:00:00
ID PACKETSTORM:54189
Type packetstorm
Reporter DoZ
Modified 2007-02-06T00:00:00

Description

                                        
                                            ` DirectAdmin Multiple Cross Site Scripting Vulnerabilities  
  
  
Control panel for web hosting companies running Red Hat 7.x, 8.x, 9.x,   
Red Hat Enterprise and FreeBSD. This issue is due to a failure in the   
application to properly sanitize user-supplied input. Attackers may   
exploit this issue via a web client. An attacker may leverage this   
issue to have arbitrary script code execute in the browser of an   
unsuspecting user in the context of the affected site. This may help   
the attacker steal cookie-based authentication credentials and launch   
other attacks. A successful exploit could allow an attacker to   
compromise the application, access or modify data, or exploit   
vulnerabilities in the underlying database implementation.  
  
  
Hackers Center Security Group (http://www.hackerscenter.com)  
Credit: Doz  
  
  
Remote: Yes  
Local: Yes  
Class: Cross-Site Scripting  
  
  
  
Vendor: http://www.directadmin.com/  
Version: 1.29.0  
  
  
Attackers can exploit these issues via a web client.  
  
  
XSS:  
  
www.site.com:2222/CMD_FILE_MANAGER/xss  
  
www.site.com:2222/CMD_FILE_MANAGER/images=xss  
  
www.site.com:2222/CMD_TICKET?action=view&number=000000044&type=XSS  
  
www.site.com:2222/CMD_EMAIL_VACATION_MODIFY?DOMAIN=demo.com&user=XSS  
  
www.site.com:2222/CMD_TICKET_CREATE?TYPE=XSS  
  
www.site.com:2222/HTM_EMAIL_POP_MODIFY?DOMAIN=demo.com&USER=xss  
  
www.site.com:2222/CMD_ADMIN_FILE_EDITOR?file=XSS  
  
www.site.com:2222/CMD_SHOW_USER?user=XSS  
  
  
Uebimiau Mail (HSC Advisory)  
  
www.site.com/webmail/index.php?lid=en_UK&tid=aleborg&f_user=&six=&f_email=XSS  
  
  
  
  
Security researcher? Join us: mail Zinho at zinho at hackerscenter.com  
  
----------------------------------------------------------------  
This message was sent using IMP, the Internet Messaging Program.  
  
  
`