username filtering on CMD_SELECT_USERS

Version 1.501


The CMD_SELECT_USERS page was not correctly filtering the select0 type variables. This allowed the currently logged in account to type in any text, where the next page could potentially have injected code, like javascript. The issued was reported as an XSS security hole (cross site scripting): but because of of this feature: the "cross site" portion of this statement is false, mitigating any sort of security issue. We do still consider this to be a bug, as basic User input sanitation/filter is always needed, but no external site or attacks can use this against you, making the security level of this somewhere between low and zero. For anyone else who finds something similar, be sure to actually test your XSS discovery with an external site/webpage (anything on a different port or hostname), as DA will notice the referer being incorrect (id=1050) and will block the post.

Interested to try DirectAdmin? Get a 30-day Free Trial!