Anti-Phishing Research, Tombstones

Thursday, September 22, 2011

Plesk Control Panel Version 20110407.20, XSS, SQL Injection, Crash Report, Parallels, No Reply, Cross Site Scripting, CWE-79, CWE-89, DORK, GHDB, BHDB

Injection Vulnerabilities in Plesk Control Panels for Windows and RHEL Linux Version 10.2
===================================
August 2010 - Injection Report published at URL http://xss.cx/examples/plesk-reports/plesk-10.2.0.html and http://xss.cx/examples/plesk-reports/plesk-10.2.0-site-editor.html with respect to Plesk Small Business Manager for Windows and Site Editor vulnerable to Injection and Remote Takeover. Contact established with Parallels after Full Disclosure, expected to receive follow-up, none sent.

April 2011 - Injection Report sent to CERT with Ticket VU#541814. No contact received after June 1, 2011.

September 22, 2011 - Published Windows Server Report on XSS.Cx at URL http://xss.cx/examples/plesk-reports/xss-reflected-cross-site-scripting-cwe79-capec86-plesk-parallels-control-panel-version-20110407.20.html

September 23, 2011 - Publish RHEL Linux Server Report on XSS.Cx at URL http://xss.cx/examples/plesk-reports/plesk-redhat-el6-psa-10.2.0-build-1011110331.18-xss-sqli-cwe79-cwe89-javascript-injection-exception-example-poc-report-paros-burp-suite-pro-1.4.1.html

Plesk Control Panel Version 20110407.20

Parallels Plesk Control Panel for Windows is vulnerable to XSS and other injection vulnerabilities beginning with a user of least-privs when logged into the Control Panel. Various exploit are possible from XSS to DoS. 


Platform Configuration Tested
-----------------------------------------
Plesk CPANEL for Windows Build 20110407.20 on Windows 2008 R2 Server, 64 Bit Mode
Note that the exploits are with respect to an Authenticated User

Vulnerability Summary - Dated May 24, 2011
-----------------------------------
Stored XSS - CWE-79
SQLi - CWE-89
Information Disclosure - CWE-200
Denial of Service


Vulnerability Details
-----------------------------------

Plesk Control Panel Version 20110407.20


1. SQL injection
1.1. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/hosting/file-manager/ [no_frames_login_page cookie]
1.2. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/hosting/file-manager/create-file/ [psaContext cookie]
1.3. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/hosting/file-manager/edit/ [PLESKSESSID cookie]
1.4. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/hosting/file-manager/view/ [certificateslist cookie]
1.5. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/web/%3Cscript%3Ealert(1)%3C/script%3E [name of an arbitrarily supplied request parameter]
1.6. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/web/%3Cscript%3Ealert(1)%3C/script%3E [no_frames_logout_page cookie]
1.7. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/web/view/id/1/%3Cscript%3Ealert(1)%3C/script%3E [no_frames cookie]
2. Cross-site scripting (reflected)

XSS in Parallels Plesk Control Panel 10.2 for Windows, XSS, DORK, GHDB, Cross Site Scripting, CWE-79, CAPEC-86
2.1. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/custom-buttons/custom-button@new/properties/ [wizard parameter]
2.2. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/custom-buttons/custom-button@new/properties/ [wizard parameter]
2.3. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/backup/create/ [email parameter]
2.4. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/hosting/file-manager/ [cmd parameter]
2.5. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/odbc/dsn@new/properties/ [wizard parameter]
2.6. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/app/download-progress/catalogId/marketplace/taskId/2 [REST URL parameter 7]
2.7. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/create [autoResponder%5BautoResponderSection%5D%5BcontentType%5D parameter]
2.8. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/edit/id/4 [autoResponder%5BautoResponderSection%5D%5BcontentType%5D parameter]
2.9. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/create [general%5Bvcard%5D%5Bemail%5D%5BemailType%5D parameter]
2.10. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/edit/id/4 [general%5Bvcard%5D%5Bemail%5D%5BemailType%5D parameter]


Plesk Control Panel Version 20110407.20

Stored XSS PoC

XSS in Parallels Plesk Control Panel 10.2 for Windows, XSS, DORK, GHDB, Cross Site Scripting, CWE-79, CAPEC-86

Plesk Control Panel Version 20110407.20

SQL Injection when reassigning subscriptions
XSS in Parallels Plesk Control Panel 10.2 for Windows, XSS, DORK, GHDB, Cross Site Scripting, CWE-79, CAPEC-86

Plesk Control Panel Version 20110407.20

Application Crash - CPanel Crash, terminating the W3P.EXE Process, see debugger output below

XSS in Parallels Plesk Control Panel 10.2 for Windows, XSS, DORK, GHDB, Cross Site Scripting, CWE-79, CAPEC-86

Plesk Control Panel Version 20110407.20

Immunity Debugger Screen Grab of W3P.EXE Program Termination, Call Stack, Registers, PHP5ts

XSS in Parallels Plesk Control Panel 10.2 for Windows, XSS, DORK, GHDB, Cross Site Scripting, CWE-79, CAPEC-86
Additional Screen Grabs
=========================















Directory and File Structure at URL http://xss.cx/examples/plesk-reports/plesk-redhat-el6-psa-10.2.0-build-1011110331-directory-file-structure-example-report-ghdb-dork-layout.txt

DOM-based Analysis of Sources and Sinks at URL http://xss.cx/examples/plesk-reports/plesk-redhat-el6-psa-10.2.0-build-1011110331-dom-based-analysis-sources-sinks-report-ghdb-dork-layout.txt
Posted by Hoyt LLC at Thursday, September 22, 2011
Labels: , , , , , , , , , , ,
Reactions: 

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)