what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Parallels Plesk 8.2 URL Redirection

Parallels Plesk 8.2 URL Redirection
Posted Mar 25, 2011
Authored by Aung Khant | Site yehg.net

Parallels Plesk versions 7.0 through 8.2 suffer from an open URL redirection vulnerability.

tags | exploit
SHA-256 | e82c4eede93f6f4c23ff261011ee5bf01469c81b640ce2339d9a14906d8eeeb6

Parallels Plesk 8.2 URL Redirection

Change Mirror Download
Parallels Plesk 7.0 - 8.2 | Open URL Redirection Vulnerability


1. OVERVIEW

The Plesk versions from 7.0 to 8.2 are vulnerable to Open URL
Redirection when "Enable webuser@domain.com" access format, a new
feature introduced in Plesk 7.0, is enabled in user preferences.


2. BACKGROUND

Parallels Plesk Panel is a turnkey Web hosting system that includes
fully automated billing and provisioning, an integrated SiteBuilder,
and access to over a hundred Web-based applications that you can use
to create unique service plans that meet a variety of customer needs.


3. VULNERABILITY DESCRIPTION

The Plesk 7.0 - 8.2 versions contain a flaw that allows a remote cross
site redirection attack. This flaw exists because the application does
not properly parse Query String parameter to set it apart from
webuser@domain.com format upon submission to the default web root url
(/) of the affected domain (i.e www.domain.com/) . To further explain,
when the URL with the format, http://domain.com/?@attacker.in, is
requested, the Plesk mistakenly parses domain.com/? as a web user and
attacker.com as the main domain. This allows an attacker to create a
specially crafted URL, that if clicked, would redirect a victim from
the intended legitimate web site (domain.com) to an arbitrary web site
(attacker.in) of the attacker's choice. This flaw takes place in the
file, at_domains_index.html, part of the Plesk application.
Vulnerable code snippets of at_domains_index.html are as follows:

////////////////////////////////////////////////////////////////////////////////////
....
<title>Relocate</title>
<script language="javascript">
var url = window.location.href;
if (url.charAt(url.length - 1) != "/")
url = url + "/";
var s = url.indexOf("//") + 2;
var e = url.indexOf("@");
if (e > 0) {
var atpart = url.substring(s, e);
var newurl = url.substring(0, s) + url.substring(e + 1 , url.length);
window.location = newurl + "~" + atpart + "/";
} else {
window.location= "/index.html";
}
</script>
...........
////////////////////////////////////////////////////////////////////////////////////

Domains with webuser@domain.com access format disabled are not vulnerable.


4. VERSIONS AFFECTED

7.0 - 8.2


5. PROOF-OF-CONCEPT/EXPLOIT

http://www.victim.com/?@%61%74%74%61%63%6b%65%72%2e%69%6e
http://www.victim.com/?@attacker.in


6. SOLUTION

Vendor will not release patch file for customers of affected versions.

One of the following:
- Use Plesk 8.3 or higher
- Disable webuser@domain.com access format
- Patch at_domains_index.html with
http://yehg.net/lab/pr0js/advisories/plesk/patches/open-redirect/at_domains_index.html.zip
[note: extract & edit file to modify your index url]


7. VENDOR

Parallels Holdings Ltd
http://www.parallels.com/


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2011-03-09: notified vendor though publicly available emails
2011-03-22: no reply
2011-03-23: reported again through an email that asked feedback for
using trial version of Plesk 10.x
2011-03-23: vendor confirmed that the issue is affected till the version 8.2
2011-03-25: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[plesk_7.0-8.2]_open_url_redirection
Parallels Plesk Home Page: http://www.parallels.com/products/plesk
OWASP Top 10 2010 - A 10:
http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
SANS Top 25 - Rank 23: http://cwe.mitre.org/top25/#CWE-601
CWE-601: http://cwe.mitre.org/data/definitions/601.html

#yehg [2011-03-25]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close