XSS + SQL Injection in Plesk Small Business Manager 10.2 + Site Editor
########################################################################
# Vendor: Plesk Small Business Manager 10.2 + Site Editor
# Product Description URL http://www.parallels.com/products/small-business-panel/
# Date: 2010-09-17
# Author : David Hoyt – http://cloudscan.me
# Contact : h02332@gmail.com
# Home : http://cloudscan.me
# Dork : Small Business Manager
# Bug : Cross Site Scripting + SQL Injection
# Tested on : Plesk Small Business Manager 10.2.0 // Windows 2008 /64/R2
# Disclosure : Uncoordinated
########################################################################
UPDATED OCT-14-2010
NOTE TO PARALLELS TEAM: EXPANDED INFO IN [Parallels #1020740] Security issues PSBP and SiteEditor.
Here are the Audit Reports:
URL Reports for Plesk Small Business Manager 20.2.0 + Site Editor
http://xss.cx/examples/plesk-reports/plesk-10.2.0.html
http://xss.cx/examples/plesk-reports/plesk-10.2.0-site-editor.html
http://xss.cx/examples/plesk-reports/plesk-10.2.0-site-editor.xml
Picture Proofs:
http://xss.cx/images/plesk-cover-1.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-sqli-2-1.jpg
http://xss.cx/images/plesk-site-editor-sqli-1-1.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-1-1.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-2-1.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-5.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-6.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-7.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-8.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-9.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-11.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-12.jpg
Vulnerability Examples:
----------------------------------------
1. SQL Injection
Summary
Severity: High
Confidence: Certain
Host: http://vulnerable.plesk.smb.10.2.0.site:8880
Path: /plesk/client@1/domain@1/hosting/file-manager/create-dir/
Severity: High
Confidence: Certain
Host: http://vulnerable.plesk.smb.10.2.0.site:8880
Path: /plesk/client@1/domain@1/hosting/file-manager/permissions/
2. Cross-site scripting (reflected)
2.1. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/app/available/id/apscatalog/ [category parameter]
2.2. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/app/available/id/apscatalog/ [category parameter]
2.3. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/app/available/id/apscatalog/ [category parameter]
2.4. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/file/copy [items%5B0%5D parameter]
2.5. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/file/index/type/external/ [folder parameter]
Summary
Severity: High
Confidence: Certain
Host: http://vulnerable.plesk.smb.10.2.0.site:8880
Path: /smb/app/available/id/apscatalog/
Severity: High
Confidence: Certain
Host: http://vulnerable.plesk.smb.10.2.0.site:8880
Path: /smb/app/available/id/apscatalog/
Severity: High
Confidence: Certain
Host: http://vulnerable.plesk.smb.10.2.0.site:8880
Path: /smb/file/copy
Severity: High
Confidence: Certain
Host: http://vulnerable.plesk.smb.10.2.0.site:8880
Path: /smb/file/index/type/external/
DETAILS ON SITE EDITOR:
1. SQL injection
1.1. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Html [currentPageId parameter]
1.2. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/ImageGallery [filelist cookie]
1.3. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/ImageGallery/Image/Edit [PLESKSESSID cookie]
1.4. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Publish [Referer HTTP header]
1.5. http://vulnerarable.plesk.smb.10.2.0.site:2006/sites/78/78806f0057ebcbb04597bd12795bd6a6/__edit/css/styles.css [colorScheme parameter]
1.6. http://vulnerarable.plesk.smb.10.2.0.site:2006/sites/78/78806f0057ebcbb04597bd12795bd6a6/__edit/images/logo.gif [template parameter]
1.7. http://vulnerarable.plesk.smb.10.2.0.site:2006/sites/78/78806f0057ebcbb04597bd12795bd6a6/__edit/images/xsk_16.jpg [colorScheme parameter]
2. Cross-site scripting (reflected)
2.1. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/Image [file parameter]
2.2. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/Image [name of an arbitrarily supplied request parameter]
2.3. http://vulnerarable.plesk.smb.10.2.0.site:2006/localizedimage.php [name of an arbitrarily supplied request parameter]
Please see URL http://www.cloudscan.me/2010/09/xss-sql-injection-in-plesk-small.html for the complete Advisory.