Full Disclosure mailing list archives
Parallels Plesk 7.0 - 8.2 | Open URL Redirection Vulnerability
From: YGN Ethical Hacker Group <lists () yehg net>
Date: Fri, 25 Mar 2011 18:25:04 +0800
Parallels Plesk 7.0 - 8.2 | Open URL Redirection Vulnerability 1. OVERVIEW The Plesk versions from 7.0 to 8.2 are vulnerable to Open URL Redirection when "Enable webuser () domain com" access format, a new feature introduced in Plesk 7.0, is enabled in user preferences. 2. BACKGROUND Parallels Plesk Panel is a turnkey Web hosting system that includes fully automated billing and provisioning, an integrated SiteBuilder, and access to over a hundred Web-based applications that you can use to create unique service plans that meet a variety of customer needs. 3. VULNERABILITY DESCRIPTION The Plesk 7.0 - 8.2 versions contain a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not properly parse Query String parameter to set it apart from webuser () domain com format upon submission to the default web root url (/) of the affected domain (i.e www.domain.com/) . To further explain, when the URL with the format, http://domain.com/?@attacker.in, is requested, the Plesk mistakenly parses domain.com/? as a web user and attacker.com as the main domain. This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site (domain.com) to an arbitrary web site (attacker.in) of the attacker's choice. This flaw takes place in the file, at_domains_index.html, part of the Plesk application. Vulnerable code snippets of at_domains_index.html are as follows: //////////////////////////////////////////////////////////////////////////////////// .... <title>Relocate</title> <script language="javascript"> var url = window.location.href; if (url.charAt(url.length - 1) != "/") url = url + "/"; var s = url.indexOf("//") + 2; var e = url.indexOf("@"); if (e > 0) { var atpart = url.substring(s, e); var newurl = url.substring(0, s) + url.substring(e + 1 , url.length); window.location = newurl + "~" + atpart + "/"; } else { window.location= "/index.html"; } </script> ........... //////////////////////////////////////////////////////////////////////////////////// Domains with webuser () domain com access format disabled are not vulnerable. 4. VERSIONS AFFECTED 7.0 - 8.2 5. PROOF-OF-CONCEPT/EXPLOIT http://www.victim.com/?@%61%74%74%61%63%6b%65%72%2e%69%6e http://www.victim.com/?@attacker.in 6. SOLUTION Vendor will not release patch file for customers of affected versions. One of the following: - Use Plesk 8.3 or higher - Disable webuser () domain com access format - Patch at_domains_index.html with http://yehg.net/lab/pr0js/advisories/plesk/patches/open-redirect/at_domains_index.html.zip [note: extract & edit file to modify your index url] 7. VENDOR Parallels Holdings Ltd http://www.parallels.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-03-09: notified vendor though publicly available emails 2011-03-22: no reply 2011-03-23: reported again through an email that asked feedback for using trial version of Plesk 10.x 2011-03-23: vendor confirmed that the issue is affected till the version 8.2 2011-03-25: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[plesk_7.0-8.2]_open_url_redirection Parallels Plesk Home Page: http://www.parallels.com/products/plesk OWASP Top 10 2010 - A 10: http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards SANS Top 25 - Rank 23: http://cwe.mitre.org/top25/#CWE-601 CWE-601: http://cwe.mitre.org/data/definitions/601.html #yehg [2011-03-25] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Parallels Plesk 7.0 - 8.2 | Open URL Redirection Vulnerability YGN Ethical Hacker Group (Mar 25)