Parallels Plesk 7.0 - 8.2 | Open URL Redirection Vulnerability 1. OVERVIEW The Plesk versions from 7.0 to 8.2 are vulnerable to Open URL Redirection when "Enable webuser@domain.com" access format, a new feature introduced in Plesk 7.0, is enabled in user preferences. 2. BACKGROUND Parallels Plesk Panel is a turnkey Web hosting system that includes fully automated billing and provisioning, an integrated SiteBuilder, and access to over a hundred Web-based applications that you can use to create unique service plans that meet a variety of customer needs. 3. VULNERABILITY DESCRIPTION The Plesk 7.0 - 8.2 versions contain a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not properly parse Query String parameter to set it apart from webuser@domain.com format upon submission to the default web root url (/) of the affected domain (i.e www.domain.com/) . To further explain, when the URL with the format, http://domain.com/?@attacker.in, is requested, the Plesk mistakenly parses domain.com/? as a web user and attacker.com as the main domain. This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site (domain.com) to an arbitrary web site (attacker.in) of the attacker's choice. This flaw takes place in the file, at_domains_index.html, part of the Plesk application. Vulnerable code snippets of at_domains_index.html are as follows: //////////////////////////////////////////////////////////////////////////////////// .... <title>Relocate</title> <script language="javascript"> var url = window.location.href; if (url.charAt(url.length - 1) != "/") url = url + "/"; var s = url.indexOf("//") + 2; var e = url.indexOf("@"); if (e > 0) { var atpart = url.substring(s, e); var newurl = url.substring(0, s) + url.substring(e + 1 , url.length); window.location = newurl + "~" + atpart + "/"; } else { window.location= "/index.html"; } </script> ........... //////////////////////////////////////////////////////////////////////////////////// Domains with webuser@domain.com access format disabled are not vulnerable. 4. VERSIONS AFFECTED 7.0 - 8.2 5. PROOF-OF-CONCEPT/EXPLOIT http://www.victim.com/?@%61%74%74%61%63%6b%65%72%2e%69%6e http://www.victim.com/?@attacker.in 6. SOLUTION Vendor will not release patch file for customers of affected versions. One of the following: - Use Plesk 8.3 or higher - Disable webuser@domain.com access format - Patch at_domains_index.html with http://yehg.net/lab/pr0js/advisories/plesk/patches/open-redirect/at_domains_index.html.zip [note: extract & edit file to modify your index url] 7. VENDOR Parallels Holdings Ltd http://www.parallels.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-03-09: notified vendor though publicly available emails 2011-03-22: no reply 2011-03-23: reported again through an email that asked feedback for using trial version of Plesk 10.x 2011-03-23: vendor confirmed that the issue is affected till the version 8.2 2011-03-25: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[plesk_7.0-8.2]_open_url_redirection Parallels Plesk Home Page: http://www.parallels.com/products/plesk OWASP Top 10 2010 - A 10: http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards SANS Top 25 - Rank 23: http://cwe.mitre.org/top25/#CWE-601 CWE-601: http://cwe.mitre.org/data/definitions/601.html #yehg [2011-03-25] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd