DirectAdmin v1.680 存在 DOM 注入漏洞, 攻击者可通过 return-to 参数注入大量文本覆盖登录界面, 隐藏真实输入框, 并显示恶意内容进行钓鱼或窃取凭证。 2025-10-9 20:0:46 Author: cxsecurity.com(查看原文) 阅读量:131 收藏
DirectAdmin v1.680 DOM Injection via return-to Parameter
######################################################################## # Exploit Title: DirectAdmin v1.680 DOM Injection via return-to Parameter (UI Misrepresentation) # Exploit Author: Scott Sturrock 'ssturrock -at- protonmail -dot- com' # Vendor Homepage: https://www.directadmin.com/ # Software Link: https://www.directadmin.com/download/ # Version: DirectAdmin v1.680 and earlier # CVE: CVE-2025-56551 ######################################################################## DirectAdmin v1.680 is vulnerable to user interface manipulation via injection into the return-to parameter on the Evolution login page. The application reflects user-supplied values from the return-to query string directly into the visible DOM without sanitisation, escaping, or length limits. This allows an attacker to inject large volumes of visible text into the login interface and displace legitimate UI elements such as the username and password fields entirely off-screen. Steps to reproduce: 1. Navigate to: https://target-host:2222/evo/login?return-to=/ 2. Append a crafted payload after the slash, such as: https://target-host:2222/evo/login?return-to=/--------------------------------------------------<payload> 3. Use a percent-encoded payload consisting of: Dozens or hundreds of hyphens (`-`) or <br> equivalents Percent-encoded content (e.g. %73%75%73%70%65%6e%64 etc) simulating a warning message or phishing-style text 4. When rendered, the application displays the attacker’s message inline with the login interface, while pushing the original login form out of the viewport, preventing user interaction. Impact: The legitimate login fields are no longer visible Victims are presented with attacker-controlled interface content Creates an opportunity for phishing or credential theft Content may be indexed or archived by search engines resulting in reputational or SEO-related harm No authentication is required to perform the attack it is triggered via a GET request Proof of concept: https://i.imgur.com/qA6SAXO.png https://i.imgur.com/4HF0cnP.png CWE: CWE-451: User Interface (UI) Misrepresentation of Critical Information
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
如有侵权请联系:admin#unsafe.sh