Parallels Plesk 7.0 - 8.2 | Open URL Redirection Vulnerability

[YGN Ethical Hacker Group <lists () yehg net>]

Parallels Plesk 7.0 - 8.2 | Open URL Redirection Vulnerability


1. OVERVIEW

The Plesk versions from 7.0 to 8.2 are vulnerable to Open URL
Redirection when "Enable webuser () domain com" access format, a new
feature introduced in Plesk 7.0, is enabled in user preferences.


2. BACKGROUND

Parallels Plesk Panel is a turnkey Web hosting system that includes
fully automated billing and provisioning, an integrated SiteBuilder,
and access to over a hundred Web-based applications that you can use
to create unique service plans that meet a variety of customer needs.


3. VULNERABILITY DESCRIPTION

The Plesk 7.0 - 8.2 versions contain a flaw that allows a remote cross
site redirection attack. This flaw exists because the application does
not properly parse Query String parameter to set it apart from
webuser () domain com format  upon submission to the default web root url
(/) of the affected domain (i.e www.domain.com/) . To further explain,
when the URL with the format, http://domain.com/?@attacker.in, is
requested, the Plesk mistakenly parses domain.com/? as a web user and
attacker.com as the main domain.  This allows an attacker to create a
specially crafted URL, that if clicked, would redirect a victim from
the intended legitimate web site (domain.com) to an arbitrary web site
(attacker.in) of the attacker's choice. This flaw takes place in the
file, at_domains_index.html, part of the Plesk application.
Vulnerable code snippets of at_domains_index.html are as follows:

////////////////////////////////////////////////////////////////////////////////////
....
<title>Relocate</title>
<script language="javascript">
  var url = window.location.href;
  if (url.charAt(url.length - 1) != "/")
    url = url + "/";
  var s = url.indexOf("//") + 2;
  var e = url.indexOf("@");
  if (e > 0) {
    var atpart = url.substring(s, e);
    var newurl = url.substring(0, s) + url.substring(e + 1 , url.length);
    window.location = newurl + "~" + atpart + "/";
  } else {
    window.location= "/index.html";
  }
</script>
...........
////////////////////////////////////////////////////////////////////////////////////

Domains with webuser () domain com access format disabled are not vulnerable.


4. VERSIONS AFFECTED

 7.0 - 8.2


5. PROOF-OF-CONCEPT/EXPLOIT

http://www.victim.com/?@%61%74%74%61%63%6b%65%72%2e%69%6e
http://www.victim.com/?@attacker.in


6. SOLUTION

Vendor will not release patch file for customers of affected versions.

One of the following:
  - Use Plesk 8.3 or higher
  - Disable webuser () domain com access format
  - Patch at_domains_index.html with
          http://yehg.net/lab/pr0js/advisories/plesk/patches/open-redirect/at_domains_index.html.zip
          [note: extract & edit file to modify your index url]


7. VENDOR

Parallels Holdings Ltd
http://www.parallels.com/


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2011-03-09: notified vendor though publicly available emails            
2011-03-22: no reply
2011-03-23: reported again through an email that asked feedback for
using trial version of Plesk 10.x
2011-03-23: vendor confirmed that the issue is affected till the version 8.2
2011-03-25: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[plesk_7.0-8.2]_open_url_redirection
Parallels Plesk Home Page: http://www.parallels.com/products/plesk
OWASP Top 10 2010 - A 10:
http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
SANS Top 25 - Rank 23: http://cwe.mitre.org/top25/#CWE-601
CWE-601: http://cwe.mitre.org/data/definitions/601.html

#yehg [2011-03-25]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/