Sorunuz mu var?
Tel: 0850 800 1483

DirectAdmin XSS and CSRF Vulnerabilities

Multiple security vulnerabilities (CVE-2019-11193) has been discovered in popular server control panel DirectAdmin, by InfinitumIT. Attackers can combine those security vulnerabilities and do a lot of critical action like server control takeover.

Those vulnerabilities (Cross Site Scripting and Cross Site Request Forgery) may cause them to happen:

• Add administrator,
• Delete administrator,
• Execute command remote (RCE)
• Full Backup the Server and Upload the Own Server
• Create FTP Accounts
• Edit the server files like /etc/named.conf and break the server.
• Upload files in directories, for example upload a webshell in public_html
• Steal Server Log Files
• Steal License Informations
• Restart or Start the Services
• Create Reseller and User
• Redirect Websites to Another URLs

We should manipulate the administrator’s request to make those attacks without administrator’s knowledge. Those attacks are named as Cross Site Request Forgery (CSRF). While we are checking the software is vulnerable to CSRF or not, we saw that some security preventions are blocking our harmful requests. We reviewed the software carefully again, and we saw that the developers are using “Referer Check” method to prevent CSRF attacks.So, if we could click administrator to external URL, the software will block our requests. Because of this, we should have the requests sent through the DirectAdmin address., we started to search XSS vulnerabilities in the software.

Finally, we have found those “Reflected Cross Site Scripting” vulnerabilities:


With those XSS vulnerabilities, we could bypass the “referer check” protection. It was finally as we expected, we could exploiting the CSRF vulnerabilities and had full privilege on the target servers. Let us give codes of some actions we have mentioned top.

Also, if you want you can review our Exploit-DB entry (https://www.exploit-db.com/exploits/46694)

Add Administrator:

Delete Administrator:

Edit File:

Create FTP Account:

Remote Command Execution:

Thank to DirectAdmin developers, because of following the incident carefully and caring about their users security extremely.

// For secure days…