Parallels Plesk Panel 9.5 Cross Site Scripting - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1813635 漏洞类型
发布时间 2019-11-06 更新时间 2019-11-06
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019110040
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#Exploit Title: Parallels Plesk Panel 9.5 Reflected XSS

#Release Date: 06/11/2019

#Author: Cyber Citadel

#Website: www.cybercitadel.com

#Vendor: www.plesk.com

#Versions 9.5



*Description*



A Cross Site Scripting vulnerability occurs when an attacker can inject
JavaScript in context of the web application. The vulnerability occurs when
user input is not sanitized before it’s returned back to the user. Because
JavaScript is able to access your DOM (Document Object Model) an attacker
can craft a JavaScript payload which can be used to steal the victim’s
session cookies and send it to a domain that they control thereby hijacking
the session.



The vulnerability exists in "*fileName*" parameter reflected in application
response were later being reflected in different parts of application
response.



*Credits *



Discovered by: Rafay Baloch and Muhammad Samak



*POC*



https://target/locales/tr-TR/help/index.htm?fileName=javascript:alert(document.domain)



*Solution*

Any user-generated input should be HTML-encoded, at any point, where it is
copied into application responses.

All HTML meta characters should be replaced with the corresponding HTML
entities. The following meta characters shall be filtered out before they
are displayed back to the user.

[1] | (pipe sign)

[2] & (ampersand sign)

[3] ; (semicolon sign)

[4] $ (dollar sign)

[5] % (percent sign)

[6] @ (at sign)

[7] ʹ (single apostrophe)

[8] ʺ (quotation mark)

[9] \ʹ (backslash‐escaped apostrophe)

[10] \ʺ (backslash‐escaped quotation mark)

[11] <> (triangular parenthesis)

[12] () (parenthesis)

[13] + (plus sign)

[14] CR (Carriage return, ASCII 0x0d)

[15] LF (Line feed, ASCII 0x0a)

[16] , (comma sign)

[17] \ (backslash)


*Recommendation*



Upgrade to the latest version of Parallel Plesk.