Directadmin ControlPanel DoS and XSS Vulns Exposed By Amir Of The IEDB Team
Iranian security researcher and IEDB Team member/IEDB/IrIsT.ir and Xssed.ir founder Amir has published a DoS vulnerability in the Directadmin ControlPanel software -http://www.directadmin.com- Directadmin is a web hosting control panel for the remote web-based administration of multiple web servers.
The vulnerability affects Directadmin ControlPanel version 1.50.1 and older. In this vulnerability, an attacker can input an unlimited length password in the password field of the DirectAdmin login screen -there is no limit on the number of characters entered- which causes DirectAdmin to crash. This problem is present in all versions of DirectAdmin.
An attacker could write a script to attack DDoS based on the following information :
http://IP:2222/CMD_LOGIN
POST /CMD_LOGIN HTTP/1.1
referer=%2F&username=$POC&password=$POC
$POC = A * 10000
Links to details :
Amir has also published recently a cross-site scripting vulnerability for Directadmin ControlPanel which enables an attacker to suspend or unsuspend users.
Links to details:
Amir credits thanks to all of the following :
- C0dex
- B3hz4d
- Beni_vanda
- Mr_time
- Bl4ck M4n
- black_security
- Yasser
- Ramin Assadian
- Black_Nofuzi
- SecureHost
- 1TED
- Mr_Kelever
- Mr_keeper
- Mahmod
- Iedb
- Khashayar
- B3hz4d4
- Shabgard
- Cl09er
- Ramin Asadyan
- Be_lucky
- Moslem Haghighian
- Dr_Iman
- 8Bit
- Javid
- Esmiley_Amir
- Mahdi_feizezade
- Amin_Zohrabi
- Shellshock3
- And all my friends And All Member In Iedb.Ir Team
Websites & contacts :
http://iedb.ir Iranian Exploit DataBase And Iranian Security Team
http://irist.ir Register hacked sites
http://xssed.Ir Vulnerability & attack information site -XSS and SQLi-
Email : [email protected]
Amir Telegram : https://telegram.me/AmirAm67
IEDB Telegram : https://telegram.me/iedbteam