Plesk Small Business Manager for Windows Version 10.2.0 of October 2010

XSS.CX Summary

Parallels Plesk Control Panel Version 20110407.20 for Windows and RHEL6 Linux Versions are vulnerable to XSS and other injection vulnerabilities beginning with a user of least-privs when logged into the Control Panel. Various exploit are possible from XSS to DoS. This report is specific to proving CWE-79, XSS as a user of least authentication within the Control Panel Application. Initially reported (privately) to Plesk in October 2010 in Parallels Ticket #1020740, these vulnerabilities, and others, still exist in the current releases of the Control Panel Products. Further reported to CERT in April 2011 with Ticket VU#541814. No contact received after June 1, 2011. Published September 21,2011 on XSS.CX.

Reflected XSS as Authenticated User in Plesk Control Panel Version 20110407.20.

XSS in Parallels Plesk Control Panel 10.2 for Windows, XSS, DORK, GHDB, Cross Site Scripting, CWE-79, CAPEC-86

Target Analysis File with Burp Suite Pro 1.3.08

Target Analysis

Report generated by XSS.CX Research Blog at Sun Oct 10 02:22:02 CDT 2010.



Dynamic URLs

Static URLs

Unique parameter names