Plesk Small Business Manager 10.2.0 and Site Editor - Multiple Vulnerabilities

EDB-ID:

15313

CVE:





Platform:

PHP

Date:

2010-10-25


XSS + SQL Injection in Plesk Small Business Manager 10.2 + Site Editor
######################################################################## 
# Vendor: Plesk Small Business Manager 10.2 + Site Editor
# Product Description URL http://www.parallels.com/products/small-business-panel/
# Date: 2010-09-17
# Author : David Hoyt – http://cloudscan.me
# Contact : h02332@gmail.com
# Home : http://cloudscan.me
# Dork : Small Business Manager
# Bug : Cross Site Scripting + SQL Injection 
# Tested on : Plesk Small Business Manager 10.2.0 // Windows 2008 /64/R2
# Disclosure : Uncoordinated 
########################################################################
UPDATED OCT-14-2010
NOTE TO PARALLELS TEAM: EXPANDED INFO IN [Parallels #1020740] Security issues PSBP and SiteEditor. 


Here are the Audit Reports:


URL Reports for Plesk Small Business Manager 20.2.0 + Site Editor
http://xss.cx/examples/plesk-reports/plesk-10.2.0.html
http://xss.cx/examples/plesk-reports/plesk-10.2.0-site-editor.html
http://xss.cx/examples/plesk-reports/plesk-10.2.0-site-editor.xml


Picture Proofs:
http://xss.cx/images/plesk-cover-1.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-sqli-2-1.jpg
http://xss.cx/images/plesk-site-editor-sqli-1-1.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-1-1.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-2-1.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-5.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-6.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-7.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-8.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-9.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-11.jpg
http://xss.cx/images/plesk-small-biz-10.2.0-xss-12.jpg




Vulnerability Examples:
----------------------------------------
1. SQL Injection
Summary
Severity:   High
Confidence:   Certain
Host:   http://vulnerable.plesk.smb.10.2.0.site:8880
Path:   /plesk/client@1/domain@1/hosting/file-manager/create-dir/


Severity:   High
Confidence:   Certain
Host:   http://vulnerable.plesk.smb.10.2.0.site:8880
Path:   /plesk/client@1/domain@1/hosting/file-manager/permissions/






2. Cross-site scripting (reflected)
2.1. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/app/available/id/apscatalog/ [category parameter]
2.2. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/app/available/id/apscatalog/ [category parameter]
2.3. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/app/available/id/apscatalog/ [category parameter]
2.4. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/file/copy [items%5B0%5D parameter]
2.5. http://vulnerable.plesk.smb.10.2.0.site:8880/smb/file/index/type/external/ [folder parameter]


Summary
Severity:   High
Confidence:   Certain
Host:   http://vulnerable.plesk.smb.10.2.0.site:8880
Path:   /smb/app/available/id/apscatalog/


Severity:   High
Confidence:   Certain
Host:   http://vulnerable.plesk.smb.10.2.0.site:8880
Path:   /smb/app/available/id/apscatalog/




Severity:   High
Confidence:   Certain
Host:   http://vulnerable.plesk.smb.10.2.0.site:8880
Path:   /smb/file/copy


Severity:   High
Confidence:   Certain
Host:   http://vulnerable.plesk.smb.10.2.0.site:8880
Path:   /smb/file/index/type/external/






DETAILS ON SITE EDITOR:


1. SQL injection


1.1. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Html [currentPageId parameter]
1.2. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/ImageGallery [filelist cookie]
1.3. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/ImageGallery/Image/Edit [PLESKSESSID cookie]
1.4. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Publish [Referer HTTP header]
1.5. http://vulnerarable.plesk.smb.10.2.0.site:2006/sites/78/78806f0057ebcbb04597bd12795bd6a6/__edit/css/styles.css [colorScheme parameter]
1.6. http://vulnerarable.plesk.smb.10.2.0.site:2006/sites/78/78806f0057ebcbb04597bd12795bd6a6/__edit/images/logo.gif [template parameter]
1.7. http://vulnerarable.plesk.smb.10.2.0.site:2006/sites/78/78806f0057ebcbb04597bd12795bd6a6/__edit/images/xsk_16.jpg [colorScheme parameter]


2. Cross-site scripting (reflected)
2.1. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/Image [file parameter]
2.2. http://vulnerarable.plesk.smb.10.2.0.site:2006/Wizard/Edit/Modules/Image [name of an arbitrarily supplied request parameter]
2.3. http://vulnerarable.plesk.smb.10.2.0.site:2006/localizedimage.php [name of an arbitrarily supplied request parameter]






Please see URL http://www.cloudscan.me/2010/09/xss-sql-injection-in-plesk-small.html for the complete Advisory.