username filtering on CMD_SELECT_USERS

Version 1.501

Bugfix
Finished

The CMD_SELECT_USERS page was not correctly filtering the select0 type variables. This allowed the currently logged in account to type in any text, where the next page could potentially have injected code, like javascript. The issued was reported as an XSS security hole (cross site scripting): http://www.vulnerability-lab.com/get_content.php?id=1824 but because of of this feature: http://www.directadmin.com/features.php?id=1050 the "cross site" portion of this statement is false, mitigating any sort of security issue. We do still consider this to be a bug, as basic User input sanitation/filter is always needed, but no external site or attacks can use this against you, making the security level of this somewhere between low and zero. For anyone else who finds something similar, be sure to actually test your XSS discovery with an external site/webpage (anything on a different port or hostname), as DA will notice the referer being incorrect (id=1050) and will block the post. http://help.directadmin.com/item.php?id=619

Interested to try DirectAdmin? Get a 30-day Free Trial!