Parallels Plesk 8.2 URL Redirection

`Parallels Plesk 7.0 - 8.2 | Open URL Redirection Vulnerability  
  
  
1. OVERVIEW  
  
The Plesk versions from 7.0 to 8.2 are vulnerable to Open URL  
Redirection when "Enable [email protected]" access format, a new  
feature introduced in Plesk 7.0, is enabled in user preferences.  
  
  
2. BACKGROUND  
  
Parallels Plesk Panel is a turnkey Web hosting system that includes  
fully automated billing and provisioning, an integrated SiteBuilder,  
and access to over a hundred Web-based applications that you can use  
to create unique service plans that meet a variety of customer needs.  
  
  
3. VULNERABILITY DESCRIPTION  
  
The Plesk 7.0 - 8.2 versions contain a flaw that allows a remote cross  
site redirection attack. This flaw exists because the application does  
not properly parse Query String parameter to set it apart from  
[email protected] format upon submission to the default web root url  
(/) of the affected domain (i.e www.domain.com/) . To further explain,  
when the URL with the format, http://domain.com/[email protected], is  
requested, the Plesk mistakenly parses domain.com/? as a web user and  
attacker.com as the main domain. This allows an attacker to create a  
specially crafted URL, that if clicked, would redirect a victim from  
the intended legitimate web site (domain.com) to an arbitrary web site  
(attacker.in) of the attacker's choice. This flaw takes place in the  
file, at_domains_index.html, part of the Plesk application.  
Vulnerable code snippets of at_domains_index.html are as follows:  
  
////////////////////////////////////////////////////////////////////////////////////  
....  
<title>Relocate</title>  
<script language="javascript">  
var url = window.location.href;  
if (url.charAt(url.length - 1) != "/")  
url = url + "/";  
var s = url.indexOf("//") + 2;  
var e = url.indexOf("@");  
if (e > 0) {  
var atpart = url.substring(s, e);  
var newurl = url.substring(0, s) + url.substring(e + 1 , url.length);  
window.location = newurl + "~" + atpart + "/";  
} else {  
window.location= "/index.html";  
}  
</script>  
...........  
////////////////////////////////////////////////////////////////////////////////////  
  
Domains with [email protected] access format disabled are not vulnerable.  
  
  
4. VERSIONS AFFECTED  
  
7.0 - 8.2  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
http://www.victim.com/?@%61%74%74%61%63%6b%65%72%2e%69%6e  
http://www.victim.com/[email protected]  
  
  
6. SOLUTION  
  
Vendor will not release patch file for customers of affected versions.  
  
One of the following:  
- Use Plesk 8.3 or higher  
- Disable [email protected] access format  
- Patch at_domains_index.html with  
http://yehg.net/lab/pr0js/advisories/plesk/patches/open-redirect/at_domains_index.html.zip  
[note: extract & edit file to modify your index url]  
  
  
7. VENDOR  
  
Parallels Holdings Ltd  
http://www.parallels.com/  
  
  
8. CREDIT  
  
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.  
  
  
9. DISCLOSURE TIME-LINE  
  
2011-03-09: notified vendor though publicly available emails   
2011-03-22: no reply  
2011-03-23: reported again through an email that asked feedback for  
using trial version of Plesk 10.x  
2011-03-23: vendor confirmed that the issue is affected till the version 8.2  
2011-03-25: vulnerability disclosed  
  
  
10. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/[plesk_7.0-8.2]_open_url_redirection  
Parallels Plesk Home Page: http://www.parallels.com/products/plesk  
OWASP Top 10 2010 - A 10:  
http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards  
SANS Top 25 - Rank 23: http://cwe.mitre.org/top25/#CWE-601  
CWE-601: http://cwe.mitre.org/data/definitions/601.html  
  
#yehg [2011-03-25]  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
`