DirectAdmin DOM Injection Vulnerability Allowing Unauthorized UI Manipulation

A DOM injection vulnerability has been identified in DirectAdmin version 1.680. This issue allows unauthorized attackers to manipulate the user interface by injecting content into the login page. The vulnerability arises because the application fails to properly sanitize or limit the length of user-supplied values in the return-to parameter, which are directly reflected in the DOM. As a result, attackers can replace legitimate login elements with their own content, potentially leading to phishing attacks or credential theft.

Impact

Exploitation of this vulnerability causes the legitimate login fields to become invisible, replaced by attacker-controlled content. This not only disrupts the user interface but also creates opportunities for phishing or stealing credentials. Additionally, the injected content could be indexed by search engines, causing reputational damage.

Reproduction

To reproduce this vulnerability, navigate to the DirectAdmin login page and append a crafted payload to the return-to parameter. The payload can include a long string of hyphens or percent-encoded text simulating a warning message. When the page is rendered, the injected content will displace the original login fields off-screen, preventing user interaction.