[webapps / 0day] - Plesk Small Business Manager 10.2.0 and S
Posted on 25 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Plesk Small Business Manager 10.2.0 and Site Editor Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Plesk Small Business Manager 10.2.0 and Site Editor Vulnerabilities by David Hoyt in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=================================================================== Plesk Small Business Manager 10.2.0 and Site Editor Vulnerabilities =================================================================== XSS + SQL Injection in Plesk Small Business Manager 10.2 + Site Editor ######################################################################## # Vendor: Plesk Small Business Manager 10.2 + Site Editor # Product Description URL http://www.parallels.com/products/small-business-panel/ # Author : David Hoyt – http://cloudscan.me # Contact : h02332@gmail.com # Home : http://cloudscan.me # Dork : Small Business Manager # Bug : Cross Site Scripting + SQL Injection # Tested on : Plesk Small Business Manager 10.2.0 // Windows 2008 /64/R2 # Disclosure : Uncoordinated ######################################################################## UPDATED OCT-14-2010 NOTE TO PARALLELS TEAM: EXPANDED INFO IN [Parallels #1020740] Security issues PSBP and SiteEditor. Here are the Audit Reports: URL Reports for Plesk Small Business Manager 20.2.0 + Site Editor http://cloudscan.me/examples/plesk-reports/plesk-10.2.0.html http://cloudscan.me/examples/plesk-reports/plesk-10.2.0-site-editor.html http://cloudscan.me/examples/plesk-reports/plesk-10.2.0-site-editor.xml Picture Proofs: http://cloudscan.me/images/plesk-cover-1.jpg http://cloudscan.me/images/plesk-small-biz-10.2.0-sqli-2-1.jpg http://cloudscan.me/images/plesk-site-editor-sqli-1-1.jpg http://cloudscan.me/images/plesk-small-biz-10.2.0-xss-1-1.jpg http://cloudscan.me/images/plesk-small-biz-10.2.0-xss-2-1.jpg http://cloudscan.me/images/plesk-small-biz-10.2.0-xss-5.jpg http://cloudscan.me/images/plesk-small-biz-10.2.0-xss-6.jpg http://cloudscan.me/images/plesk-small-biz-10.2.0-xss-7.jpg http://cloudscan.me/images/plesk-small-biz-10.2.0-xss-8.jpg http://cloudscan.me/images/plesk-small-biz-10.2.0-xss-9.jpg http://cloudscan.me/images/plesk-small-biz-10.2.0-xss-11.jpg http://cloudscan.me/images/plesk-small-biz-10.2.0-xss-12.jpg Vulnerability Examples: ---------------------------------------- 1. SQL Injection Summary Severity: High Confidence: Certain Host: http://vulnerable.plesk.smb.10.2.0.site:8880 Path: /plesk/client@1/domain@1/hosting/file-manager/create-dir/ Severity: High Confidence: Certain Host: http://vulnerable.plesk.smb.10.2.0.site:8880 Path: /plesk/client@1/domain@1/hosting/file-manager/permissions/ 2. Cross-site scripting (reflected) 2.1. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/app/available/id/apscatalog/ [category parameter] 2.2. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/app/available/id/apscatalog/ [category parameter] 2.3. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/app/available/id/apscatalog/ [category parameter] 2.4. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/file/copy [items%5B0%5D parameter] 2.5. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/file/index/type/external/ [folder parameter] Summary Severity: High Confidence: Certain Host: http://vulnerable.plesk.smb.10.2.0.site:8880 Path: /smb/app/available/id/apscatalog/ Severity: High Confidence: Certain Host: http://vulnerable.plesk.smb.10.2.0.site:8880 Path: /smb/app/available/id/apscatalog/ Severity: High Confidence: Certain Host: http://vulnerable.plesk.smb.10.2.0.site:8880 Path: /smb/file/copy Severity: High Confidence: Certain Host: http://vulnerable.plesk.smb.10.2.0.site:8880 Path: /smb/file/index/type/external/ DETAILS ON SITE EDITOR: 1. SQL injection 1.1. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Html [currentPageId parameter] 1.2. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/ImageGallery [filelist cookie] 1.3. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/ImageGallery/Image/Edit [PLESKSESSID cookie] 1.4. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Publish [Referer HTTP header] 1.5. http://vulnerarable.plesk.smb.10.2.0.site:2006/sites/78/78806f0057ebcbb04597bd12795bd6a6/__edit/css/styles.css [colorScheme parameter] 1.6. http://vulnerarable.plesk.smb.10.2.0.site:2006/sites/78/78806f0057ebcbb04597bd12795bd6a6/__edit/images/logo.gif [template parameter] 1.7. http://vulnerarable.plesk.smb.10.2.0.site:2006/sites/78/78806f0057ebcbb04597bd12795bd6a6/__edit/images/xsk_16.jpg [colorScheme parameter] 2. Cross-site scripting (reflected) 2.1. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/Image [file parameter] 2.2. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/Image [name of an arbitrarily supplied request parameter] 2.3. http://vulnerarable.plesk.smb.10.2.0.site:2006/localizedimage.php [name of an arbitrarily supplied request parameter] # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-25]</pre></body></html>
