Plesk Control Panel version 102 suffers from a cross site scripting vulnerability.
9ce94f018b6a159b2536c30e1849e01d5740c9bd9318fe2e6a86e92ad9d7fff7
(From sqlhacker)
http://xss.cx/examples/plesk-reports/xss-reflected-cross-site-scripting-cwe79-capec86-plesk-parallels-control-panel-version-20110407.20.html
RXSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, Plesk
Control Panel Version 20110407.20Report generated by XSS.CX <http://xss.cx/>
at Tue May 24 05:40:53 CDT 2011 with respect to Plesk CPANEL for Windows
Build 20110407.20 on Windows 2008 R2 Server, 64 Bit
Plesk SMB 10.2 for Windows Report of October
2010<http://xss.cx/examples/plesk-reports/plesk-10.2.0.html>
| Plesk SMB 10.2 - Site Editor for Windows Report of October
2010<http://xss.cx/examples/plesk-reports/plesk-10.2.0-site-editor.html>
------------------------------
Executive SummaryParallels Plesk Control Panel for Windows is vulnerable to
XSS and other injection vulnerabilities beginning with a user of least-privs
when logged into the Control Panel. Various exploit are possible from XSS to
DoS. This report is specific to proving CWE-79, XSS as a user of least
authentication within the Control Panel Application. Initially reported
(privately) to Plesk in October 2010 in Parallels Ticket #1020740, these
vulnerabilities, and others, still exist in the current releases of the
Control Panel Products.[image: XSS in Parallels Plesk Control Panel 10.2 for
Windows, XSS, DORK, GHDB, Cross Site Scripting, CWE-79,
CAPEC-86]<http://xss.cx/images/plesk-parallels-control-panel-reflected-xss-dork-ghdb-example-poc-javascript-injection-least-priv-user.jpg>
------------------------------
CPanel Application Crash[image: XSS in Parallels Plesk Control Panel 10.2
for Windows, XSS, DORK, GHDB, Cross Site Scripting, CWE-79,
CAPEC-86]<http://xss.cx/images/plesk-parallels-control-panel-reflected-xss-dork-ghdb-example-poc-javascript-failure-sanitization-input.jpg>
------------------------------
*Stored XSS PoC*[image: XSS in Parallels Plesk Control Panel 10.2 for
Windows, XSS, DORK, GHDB, Cross Site Scripting, CWE-79,
CAPEC-86]<http://xss.cx/examples/plesk-reports/plesk-example-ui-embedded-url-link-injection-poc.jpg>Plesk
Control Panel Version 20110407.20
*Application Crash*
[image: XSS in Parallels Plesk Control Panel 10.2 for Windows, XSS, DORK,
GHDB, Cross Site Scripting, CWE-79,
CAPEC-86]<http://xss.cx/examples/plesk-reports/plesk-cwe-79-sanitization-1.jpg>Plesk
Control Panel Version 20110407.20
Immunity Debugger Screen Grab of W3P.EXE Program Termination, Call Stack,
Registers, PHP5ts
[image: XSS in Parallels Plesk Control Panel 10.2 for Windows, XSS, DORK,
GHDB, Cross Site Scripting, CWE-79,
CAPEC-86]<http://xss.cx/examples/plesk-reports/plesk-stack-stack-w3p-plesk-application-crash.jpg><https://hostedusa3.whoson.com/chat/chatstart.htm?domain=stalker.opticalcorp.com&session=546-1298753730798>