[2/5] DirectAdmin “domain” Cross-Site Scripting

June 29th, 2007 by

[2/5] DirectAdmin “domain” Cross-Site Scripting

:r0t has reported a vulnerability in DirectAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks.Input passed to the "domain" parameter in CMD_USER_STATS is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.Successful exploitation requires that the target user has valid user credentials.The vulnerability is reported in version 1.30.1. Other versions may also be affected.Solution:Filter malicious characters and character sequences in a web proxy.Provided and/or discovered by:r0tOriginal Advisory:http://pridels-team.blogspot.com/2007/06/directadmin-xss-vuln.html

Original post by Pankaj

[2/5] DirectAdmin “domain” Cross-Site Scripting

Related Articles:

[2/5] Domain Trader “id” Cross-Site Scripting Vulnerability

[2/5] Matt’s Whois “domain” Cross-Site Scripting Vulnerability

[2/5] Domain Technologie Control “404.php” Cross-Site Scripting Vulnerability

[4/5] Apple Safari Multiple Vulnerabilities

[2/5] DigiDomain Multiple Cross-Site Scripting Vulnerabilities

Posted in Advisories - Exploits | | [2/5] DirectAdmin “domain” Cross-Site Scripting

<< [4/5] Debian update for krb5 | [2/5] 3Com IntelliJack Switch NJ220 Loopback Packet Processing Denial of Service >>

Cybertrion Systems

[2/5] DirectAdmin “domain” Cross-Site Scripting

Categories

Archives:

Search:

Meta: