DirectAdmin <= v1.30.2 XSS vuln.

2007-09-11T00:00:00
ID SECURITYVULNS:DOC:17958
Type securityvulns
Reporter Securityvulns
Modified 2007-09-11T00:00:00

Description

DirectAdmin <= v1.30.2 XSS vuln.

Vuln. discovered by : r0t Date: 10 September 2007 vendor:http://www.directadmin.com/ orginal advisory: http://pridels-team.blogspot.com/2007/09/directadmin-v1302-xss-vuln.html affected versions:v1.30.2 and previous

DirectAdmin contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "user" parameter in "CMD_BANDWIDTH_BREAKDOWN" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution: Filter malicious characters and character sequences in a web proxy.