security: encoding of domain output on CMD_DOMAIN

Version 1.41

Bugfix
Finished

In response to this report: http://packetstormsecurity.org/files/112225/DirectAdmin-1.403-Cross-Site-Scripting.html the domain output on the 2 mentioned pages will now be html encoded. Regarding the security level of this bug, it's low to non-existant. The report makes this reported statement, which is false: The vulnerability allows an attacker with privileged user account to hijack customer/moderator/admin sessions with high required user inter action. Successful exploitation can result in account steal or client side context manipulation when processing affected module application requests. Because of this feature which was added in 1.34.5: http://www.directadmin.com/features.php?id=1050 which prevents the "cross-site" aspect of the cross-site-scripting report. We could say then, than all versions older than 1.34.5 would be affected.

Interested to try DirectAdmin? Get a 30-day Free Trial!