Directadmin ControlPanel DoS and XSS Vulns Exposed By Amir Of The IEDB Team

Iranian security researcher and IEDB Team member/IEDB/IrIsT.ir and Xssed.ir founder Amir has published a DoS vulnerability in the Directadmin ControlPanel software -http://www.directadmin.com- Directadmin is a web hosting control panel for the remote web-based administration of multiple web servers.

The vulnerability affects Directadmin ControlPanel version 1.50.1 and older. In this vulnerability, an attacker can input an unlimited length password in the password field of the DirectAdmin login screen -there is no limit on the number of characters entered- which causes DirectAdmin to crash. This problem is present in all versions of DirectAdmin.

An attacker could write a script to attack DDoS based on the following information :

http://IP:2222/CMD_LOGIN
POST /CMD_LOGIN HTTP/1.1
referer=%2F&username=$POC&password=$POC
$POC = A * 10000

Links to details :

Amir has also published recently a cross-site scripting vulnerability for Directadmin ControlPanel which enables an attacker to suspend or unsuspend users.

Links to details:

Other published vulnerabilities discovered by IEDB/IrIsT are here

Amir credits thanks to all of the following :

  • C0dex
  • B3hz4d
  • Beni_vanda
  • Mr_time
  • Bl4ck M4n
  • black_security
  • Yasser
  • Ramin Assadian
  • Black_Nofuzi
  • SecureHost
  • 1TED
  • Mr_Kelever
  • Mr_keeper
  • Mahmod
  • Iedb
  • Khashayar
  • B3hz4d4
  • Shabgard
  • Cl09er
  • Ramin Asadyan
  • Be_lucky
  • Moslem Haghighian
  • Dr_Iman
  • 8Bit
  • Javid
  • Esmiley_Amir
  • Mahdi_feizezade
  • Amin_Zohrabi
  • Shellshock3
  • And all my friends And All Member In Iedb.Ir Team
Amir -Amir Moosavi- is also associated with the Khestak Security Team -see our article here– and the Turk Black Hat team.

Websites & contacts :

http://iedb.ir     Iranian Exploit DataBase And Iranian Security Team
http://irist.ir     Register hacked sites
http://xssed.Ir  Vulnerability & attack information site -XSS and SQLi-

Email : [email protected]
Amir Telegram : https://telegram.me/AmirAm67
IEDB Telegram : https://telegram.me/iedbteam

Leave a Reply

Your email address will not be published. Required fields are marked *