|We get these reports on occasion, but DirectAdmin has had a referrer checking tool for quite some time now:|
Since this was added, none of the external XSS/CSRF reports have been valid.
People who think they've found one often are testing with a form in the DA skin, on port 2222 on the same IP.
This means the form is in the skin, which is exactly where it lives usually for it's intended purpose. So of course, the form submission passes, as one would expect. So this test is only possible if they've got access to editing the skins, which means they've already got root access on your server, so the XSS test doesn't mean anything.
An external form, using any different variable, either IP or port will fail the check_referer=1 test.
In DA debug mode, a sample might look like this, where 18.104.22.168 is the server IP, and we actually put the hacking test on the same IP. In real life, the attacking IP would typically be on a different IP, but that only adds one more thing for the referer check to find. This just proves that even just the variance in the port is sufficient to stop the attack.
This test has http://22.214.171.124/hack.html with any standard form you want, DA on http://126.96.36.199:2222, with the client IP being 188.8.131.52:
Checking referer http://184.108.40.206/hack.html to 220.127.116.11:2222
2016:03:31-15:49:00: Referer port (80) does not match DA's (2222): http://18.104.22.168/hack.html
So please before submitting your security report, please check to ensure that you're not actually testing your form in 2222, that's where it's going to be valid. Test with your form on any different port or IP.
|How to run DirectAdmin in debug mode|
© 2018 JBMC Software, Suite 173 3-11 Bellerose Drive, St Albert, AB T8N 1P7 Canada. Mon-Fri 9AM-5PM MST