XSS + SQL Injection in Plesk Small Business Manager 10.2 + Site Editor

vendor:

Plesk Small Business Manager 10.2 + Site Editor

by:

David Hoyt

7,5

CVSS

HIGH

Cross Site Scripting + SQL Injection

89 (SQL Injection) and 79 (Cross-site Scripting)

CWE

Product Name: Plesk Small Business Manager 10.2 + Site Editor

Affected Version From: Plesk Small Business Manager 10.2.0

Affected Version To: Plesk Small Business Manager 10.2.0

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 2008 /64/R2

2010

XSS + SQL Injection in Plesk Small Business Manager 10.2 + Site Editor

David Hoyt discovered Cross Site Scripting and SQL Injection vulnerabilities in Plesk Small Business Manager 10.2 + Site Editor. The vulnerabilities can be exploited by remote attackers to inject malicious code into web pages viewed by other users, execute arbitrary SQL commands in the back-end database, and gain access to sensitive information. The vulnerabilities are located in the 'create-dir' parameter of the 'file-manager' module. The vulnerabilities can be exploited by remote attackers without user interaction.

Mitigation:

Upgrade to the latest version of Plesk Small Business Manager 10.2 + Site Editor

Source

Exploit-DB raw data:

XSS + SQL Injection in Plesk Small Business Manager 10.2 + Site Editor
######################################################################## 
# Vendor: Plesk Small Business Manager 10.2 + Site Editor
# Product Description URL http://www.parallels.com/products/small-business-panel/
# Date: 2010-09-17
# Author : David Hoyt – http://cloudscan.me
# Contact : h02332@gmail.com
# Home : http://cloudscan.me
# Dork : Small Business Manager
# Bug : Cross Site Scripting + SQL Injection 
# Tested on : Plesk Small Business Manager 10.2.0 // Windows 2008 /64/R2
# Disclosure : Uncoordinated 
########################################################################
UPDATED OCT-14-2010
NOTE TO PARALLELS TEAM: EXPANDED INFO IN [Parallels #1020740] Security issues PSBP and SiteEditor. 


Here are the Audit Reports:


URL Reports for Plesk Small Business Manager 20.2.0 + Site Editor
http://xss.cx/examples/plesk-reports/plesk-10.2.0.html
http://xss.cx/examples/plesk-reports/plesk-10.2.0-site-editor.html
http://xss.cx/examples/plesk-reports/plesk-10.2.0-site-editor.xml


Picture Proofs:
http://xss.cx/images/plesk-cover-1.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-sqli-2-1.jpg
http://xss.cx/images/plesk-site-editor-sqli-1-1.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-1-1.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-2-1.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-5.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-6.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-7.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-8.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-9.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-11.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-12.jpg




Vulnerability Examples:
----------------------------------------
1. SQL Injection
Summary
Severity:   High
Confidence:   Certain
Host:   http://vulnerable.plesk.smb.10.2.0.site:8880
Path:   /plesk/client@1/domain@1/hosting/file-manager/create-dir/


Severity:   High
Confidence:   Certain
Host:   http://vulnerable.plesk.smb.10.2.0.site:8880
Path:   /plesk/client@1/domain@1/hosting/file-manager/permissions/






2. Cross-site scripting (reflected)
2.1. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/app/available/id/apscatalog/ [category parameter]
2.2. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/app/available/id/apscatalog/ [category parameter]
2.3. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/app/available/id/apscatalog/ [category parameter]
2.4. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/file/copy [items%5B0%5D parameter]
2.5. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/file/index/type/external/ [folder parameter]


Summary
Severity:   High
Confidence:   Certain
Host:   http://vulnerable.plesk.smb.10.2.0.site:8880
Path:   /smb/app/available/id/apscatalog/


Severity:   High
Confidence:   Certain
Host:   http://vulnerable.plesk.smb.10.2.0.site:8880
Path:   /smb/app/available/id/apscatalog/




Severity:   High
Confidence:   Certain
Host:   http://vulnerable.plesk.smb.10.2.0.site:8880
Path:   /smb/file/copy


Severity:   High
Confidence:   Certain
Host:   http://vulnerable.plesk.smb.10.2.0.site:8880
Path:   /smb/file/index/type/external/






DETAILS ON SITE EDITOR:


1. SQL injection


1.1. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Html [currentPageId parameter]
1.2. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/ImageGallery [filelist cookie]
1.3. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/ImageGallery/Image/Edit [PLESKSESSID cookie]
1.4. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Publish [Referer HTTP header]
1.5. http://vulnerarable.plesk.smb.10.2.0.site:2006/sites/78/78806f0057ebcbb04597bd12795bd6a6/__edit/css/styles.css [colorScheme parameter]
1.6. http://vulnerarable.plesk.smb.10.2.0.site:2006/sites/78/78806f0057ebcbb04597bd12795bd6a6/__edit/images/logo.gif [template parameter]
1.7. http://vulnerarable.plesk.smb.10.2.0.site:2006/sites/78/78806f0057ebcbb04597bd12795bd6a6/__edit/images/xsk_16.jpg [colorScheme parameter]


2. Cross-site scripting (reflected)
2.1. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/Image [file parameter]
2.2. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/Image [name of an arbitrarily supplied request parameter]
2.3. http://vulnerarable.plesk.smb.10.2.0.site:2006/localizedimage.php [name of an arbitrarily supplied request parameter]






Please see URL http://www.cloudscan.me/2010/09/xss-sql-injection-in-plesk-small.html for the complete Advisory.