Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6, XSS, SQL Injection, Crash Report, Cross Site Scripting, CWE-79, CWE-89

Product Review
-----------------------------------------

Parallels^® Plesk Panel 10

An easy, profitable, and complete server automation solution that will help your business grow.

Easy. Quick Web site creation and
management; intuitive user interface; power
user mode for easier server administration.

Profitable. Parallels Partner
Storefront simplifies sale of SaaS apps.

Complete. Multi-language support;
free bundles available (SiteBuilder,
Customer & Business Manager).

Platform Configuration Tested
-----------------------------------------
Plesk Parallels Panel Linux Version 2.6.32-131.12.1.e16.x86_64
Note that the exploits are with respect to an Authenticated Admin, Reseller and End-User


Vulnerability Summary
-----------------------------------
Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6 and the Windows Server Version are vulnerable to XSS and other injection vulnerabilities beginning with a user of least-privs when logged into the Control Panel. Various exploit are possible from XSS to DoS. 


Stored and Reflected XSS - CWE-79
SQLi - CWE-89
Information Disclosure - CWE-200
Denial of Service

---

Issue:	SQL injection
Severity:	High
Confidence:	Certain
Host:	https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443

---

Issue detail

9 instances of this issue were identified, at the following locations:

• /admin/customer/list [searchFilter[resourceUsage][searchText] parameter]
• /admin/ [locale cookie]
• /admin/customer/create [contactInfoSection%5BcontactInfo%5D%5Bfax%5D parameter]
• /admin/customer/list/reset-search/true/ [Referer HTTP header]
• /admin/home/reseller [User-Agent HTTP header]
• /admin/reseller/personal-info/ [psaContext cookie]
• /admin/subscription/list [REST URL parameter 2]
• /login_up.php3 [locale cookie]
• /login_up.php3 [name of an arbitrarily supplied request parameter]       

SQL Injection Proof of Concept - Single Quote - Reseller Login

-----------------------------------------------------------------------------------

GET /admin/customer/list?force-show-search=true&searchFilter[resourceUsage][searchText]=overuse'
---------
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '))' at line 6

---

Issue:	Cross-site scripting (reflected)
Severity:	High
Confidence:	Certain
Host:	https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443

---

Issue detail

6 instances of this issue were identified, at the following locations:

• / [start_page parameter]
• /admin/app/usage-data [searchFilter%5Bname%5D%5BsearchText%5D parameter]
• /admin/health/ [group parameter]
• /plesk/reseller@3/backup/create/ [email parameter]
• /plesk/reseller@3/custom-buttons/custom-button@new/properties/ [wizard parameter]
• /plesk/reseller@3/report/layout@2/auto@new/properties/ [wizard parameter]       

Reseller Account Reflected Cross Site Scripting (RXSS) Proof of Concept

Note - Must be logged in as a Reseller to execute

Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6

Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6 - Application Crash

Scan Tool Reports on XSS.CX for Paros Desktop 1.9.12, Acunetix Version 7 Build.092011, Netsparker 2, Burp Suite Pro Version 1.4.1, NeXpose, W3AF, WebScarab and many others to be published.


Directory and File Structure at URL http://xss.cx/examples/plesk-reports/plesk-redhat-el6-psa-10.2.0-build-1011110331-directory-file-structure-example-report-ghdb-dork-layout.txt

DOM-based Analysis of Sources and Sinks at URL http://xss.cx/examples/plesk-reports/plesk-redhat-el6-psa-10.2.0-build-1011110331-dom-based-analysis-sources-sinks-report-ghdb-dork-layout.txt