2. Cross-site scripting (reflected)
3. Cleartext submission of password
3.1. http://vulnerable.plesk.control.panel.20110407.20:8880/login_up.php3
3.4. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/create
3.5. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/create/
3.6. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/edit/id/4
3.7. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/mail-list/create/
3.8. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/my-profile
3.9. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/create
3.10. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/create/
3.11. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/edit/id/2
3.12. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/edit/id/3
3.13. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/edit/id/4
3.14. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/web/edit
4. Password returned in later response
5. Cookie without HttpOnly flag set
5.1. http://vulnerable.plesk.control.panel.20110407.20:8880/
5.2. http://vulnerable.plesk.control.panel.20110407.20:8880/javascript/chk.js.php
5.3. http://vulnerable.plesk.control.panel.20110407.20:8880/login_up.php3
5.4. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/create
5.7. http://vulnerable.plesk.control.panel.20110407.20:8880/get_password.php
5.8. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/backup/local-repository/
5.9. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/custom-buttons/
5.13. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/backup/create/
5.18. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/certificate@
5.19. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/dns/
5.20. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/domain-alias@
5.31. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/odbc/
5.34. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/traffic-hosting
5.35. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/shared-ssl/
5.36. http://vulnerable.plesk.control.panel.20110407.20:8880/spaw/spaw.php
6. Password field with autocomplete enabled
6.3. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/my-profile
6.4. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/create
6.5. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/create/
6.6. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/edit/id/2
6.7. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/edit/id/3
6.8. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/edit/id/4
8. Cross-domain Referer leakage
9.4. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/domain@1/certificate@
10. Database connection string disclosed
11.1. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/edit/id/1
11.2. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/edit/id/2
11.3. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/edit/id/4
11.4. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/list
11.5. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/list/
11.6. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/my-profile
11.7. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/create
11.8. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/edit/id/2
11.9. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/edit/id/3
11.10. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/edit/id/4
11.11. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/list
11.12. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/list
11.13. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/list/
12. HTML does not specify charset
12.1. http://vulnerable.plesk.control.panel.20110407.20:8880/
12.2. http://vulnerable.plesk.control.panel.20110407.20:8880/javascript/chk.js.php
12.4. http://vulnerable.plesk.control.panel.20110407.20:8880/plesk/client@2/register-domain/
12.5. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/admin-home/featured-applications/
12.7. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/app/install/metaId/1
12.9. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/create
12.10. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/edit/id/2
12.11. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/edit/id/4
12.12. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/create
12.13. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/edit/id/4
12.14. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/web/view
13. Content type incorrectly stated
13.1. http://vulnerable.plesk.control.panel.20110407.20:8880/javascript/chk.js.php
13.4. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/admin-home/featured-applications/
13.6. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/email-address/edit/id/2
13.7. http://vulnerable.plesk.control.panel.20110407.20:8880/smb/user/edit/id/4
| Severity: | High |
| Confidence: | Tentative |
| Host: | http://www.nosedives |
| Path: | /plesk/client@2/domain@1 |
| GET /plesk/client@2/domain@1 Host: vulnerable.plesk.control.panel.20110407.20 Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PLESKSESSID=66f4f3aa |
| HTTP/1.1 500 Internal Server Error Cache-Control: post-check=0, pre-check=0,no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Mon, 23 May 2011 20:35:43 GMT Server: Microsoft-IIS/7.5 P3P: CP="NON COR CURa ADMa OUR NOR UNI COM NAV STA" X-Powered-By: ASP.NET Date: Mon, 23 May 2011 20:35:46 GMT Connection: close Content-Length: 1208 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR <html xmlns="http://www.w3.org <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>500 - Internal server error.</title> <style type="text/css"> <!-- body{margin:0;font-size: fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin h2{font-size:1.7em;margin h3{font-size:1.2em;margin #header{width:96%;margin background-color:#555555; #content{margin:0 0 0 2%;position:relative;} .content-container --> </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container" <h2>500 - Internal server error.</h2> <h3>There is a problem with the resource you are looking for, and it cannot be displayed.</h3> </fieldset></div> </div> </body> </html> |
| GET /plesk/client@2/domain@1 Host: vulnerable.plesk.control.panel.20110407.20 Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PLESKSESSID=66f4f3aa |
| HTTP/1.1 200 OK Cache-Control: post-check=0, pre-check=0,no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Mon, 23 May 2011 20:35:47 GMT Server: Microsoft-IIS/7.5 P3P: CP="NON COR CURa ADMa OUR NOR UNI COM NAV STA" Set-Cookie: psaContext=dashboard; path=/ X-Powered-By: ASP.NET Date: Mon, 23 May 2011 20:35:49 GMT Connection: close Content-Length: 93511 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR <head> <meta http-equiv="X-UA <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="forgery_protection <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /> <link rel="icon" href="/favicon.ico" type="image/ico" /> <link rel="stylesheet" type="text/css" href="/skins/default <link rel="stylesheet" type="text/css" href="/skins/default <link rel="stylesheet" type="text/css" href="/skins/default <link rel="stylesheet" type="text/css" href="/skins/default <!--[if IE]><link rel="stylesheet" type="text/css" href="/skins/default <link href="/skins/default/css <link href="/skins/default/css <link href="/skins/default/css <link href="/skins/default/css <!--[if lte IE 7]> <link href="/skins/default/css <!--[if IE 8]> <link href="/skins/default/css <link href="/skins/default/css <script type="text/javascript" src="/smb/externals <script type="text/javascript" src="/javascript/jsw.js <script type="text/javascript" src="/smb/scripts/smb.js <script type="text/javascript" src="/javascript/tooltip <script type="text/javascript" src="/javascript/widget <script type="text/javascript" src="/javascript/chk.js <script type="text/javascript" src="/javascript/common <script type="text/javascript" src="/admin/scripts/admin <title>Parallels Plesk Panel 10.2.0 for Microsoft Windows</title> <script type="text/javascript"> Jsw.baseUrl = '/smb'; Jsw.skinUrl = '/skins/default'; Jsw.showErrorDetails = false; </script> <script type="text/javascript"> // hide navigation if panel shown inside frame if (top != self) { var head = document.getElements var stylesheet = document.createElement( stylesheet.type = 'text/css'; stylesheet.rel = 'stylesheet'; stylesheet.href = '/skins/default/css stylesheet.media = 'screen'; head.appendChild } </script> </head> <body class=""> <div class="tooltip" style="display: none;"><b><i><i><i><span> <div id="page"> <div id="wrapper"> <div id="top-wrapper" class="l-top"> <div id="top"> <div id="header-wrapper"> <div id="header"> <h1 class="logo"> <img src="/skins/default/plesk </h1> <div class="shortcuts"> <ul> <li class="top-user-info"> <table cellspacing="0"> <tr> <th>Logged in as</th> <td> <b> <a href="/smb/my-profile"> Hoyt LLC Research </a> </b> </td> </tr> <tr> <th>Subscription</th> <td><div id="subscription-switch"> </tr> </table> </li> <li class="top-logout"> <a href="/smb/auth/logout" id="shortcutLogout"><i> Log out </span></i></a> </li> <li class="top-help"> <a href="/smb/help/redirect Help </span></i></a> </li> </ul> </div> <script type="text/javascript"> //<![CDATA[ Jsw.onReady(function() { new Smb.SubscriptionDropdown( applyTo: 'subscription-switch', items: [{"value":"\/account\ title: 'vulnerable.host.fqdn', onChange: function(dropdown, item) { window.location.href = Jsw.baseUrl + item.value + '?returnUrl=' + '%2Fredirect%2Fpleskin }); }); //]]> </script> </div> </div> </div> <div id="navbar"></div> <script type="text/javascript"> //<![CDATA[ Jsw.onReady(function() { new Smb.NavigationTabs({ id: 'navbar', applyTo: 'navbar', items: [{"componentType":"Jsw }); //]]> </script> </div> <div id="content-wrapper"> <div id="content"> <div id="pathbar-wrapper">< <script type="text/javascript"> //<![CDATA[ Jsw.onReady(function() { new Jsw.Pathbar({ id: 'pathbar', cls: 'pathbar clearfix', renderTo: 'pathbar-wrapper', items: [] }); }); //]]> </script> <div class="heading "> <div class="heading-area"> <div class="toolbar"> <span id="toolbar-content">< <a class="s-btn sb-uplevel" href="/smb#"> <span>Up Level</span> </a> </div> <h2><span>File Manager</span></h2> </div> </div> <div id="content-body" class="clearfix"> <div id="main"> <script type="text/javascript"> var opt_no_frames = true; Jsw.baseUrl = '/smb'; SetHelpModule = function(module) { PleskHelpModule = module; } var PleskHelpModule = null; Jsw.onReady(function() { $$('.top-help').each topHelp.select('a').each help.href = help.href + '/plesk-context if (PleskHelpModule) { help.href = help.href + '/plesk-module/' + PleskHelpModule + '/'; } }); }); $$('.sb-uplevel').each link.href = '/plesk/hosting-panel=web }); if ('') { $('content').down(' } }); var opt_integrated_mode = false; function update_oC() { f = document.forms[0]; f.cmd.value = "update"; lsubmit(f); return false; } function chmod_update_oC() { f = document.forms[0]; f.cmd.value = "chmod"; f.subcmd.value = "update"; lsubmit(f); return false; } function rename_update_oC() { f = document.forms[0]; f.cmd.value = "rename"; f.subcmd.value = "update"; lsubmit(f); return false; } function new_file_oC() { f = document.forms[0]; f.cmd.value = "new_file"; f.subcmd.value = ""; f.action = "/plesk/client@2/domain@1 lsubmit(f); return false; } function count_size_oC() { f = document.forms[0]; f.cmd.value = "count_size"; f.subcmd.value = ""; lsubmit(f); return false; } function extract_oC() { f = document.forms[0]; if (0 == check_selection(f)) { alert("No file(s) selected."); return false; } f.cmd.value = "extract"; f.subcmd.value = ""; lsubmit(f); return false; } function pack_oC() { f = document.forms[0]; if (0 == check_selection(f)) { alert("No file(s) selected."); return false; } f.cmd.value = "pack"; f.subcmd.value = ""; f.action = "/plesk/client@2/domain@1 lsubmit(f); return false; } function create_archive_oC() { f = document.forms[0]; if ("" == f.archive_name.value) { alert("Please enter file name."); return false; } f.cmd.value = "pack"; f.subcmd.value = "pack"; lsubmit(f); return false; } function new_dir_oC() { f = document.forms[0]; f.cmd.value = "new_dir"; f.subcmd.value = ""; f.action = "/plesk/client@2/domain@1 lsubmit(f); return false; } function create_file_oC() { f = document.forms[0]; errorfield(f.new_file, false); if (f.create_file_method[0] f.cmd.value = "upload_file"; f.file.value = f.new_file.value; f.subcmd.value = ""; lsubmit(f); return false; } if (f.create_file_method[1] if (f.new_file.value == "") { errorfield(f.new_file, true); alert("Some fields are empty or contain an improper value."); f.new_file.focus(); return false; } f.cmd.value = "create_file"; f.file.value = f.new_file.value; f.subcmd.value = ""; lsubmit(f); return false; } return false; } function create_file_save_oC() { f = document.forms[0]; f.cmd.value = "create_file"; f.subcmd.value = "save"; lsubmit(f); return false; } function create_dir_oC() { f = document.forms[0]; f.cmd.value = "create_dir"; f.file.value = f.new_dir.value; f.subcmd.value = ""; lsubmit(f); return false; } function edit_reset_oC() { f = document.forms[0]; f.cmd.value = "edit"; f.subcmd.value = ""; f.reset(); return false; } function edit_save_oC() { f = document.forms[0]; f.cmd.value = "edit"; f.subcmd.value = "save"; lsubmit(f); return false; } function edit_save_exit_oC() { f = document.forms[0]; f.cmd.value = "edit"; f.subcmd.value = "save_exit"; lsubmit(f); return false; } function codepage_oC() { f = document.forms[0]; f.subcmd.value = "codepage"; lsubmit(f); return false; } function cancel_oC() { f = document.forms[0]; f.cmd.value = ""; f.subcmd.value = ""; f.action = "/plesk/client@2/domain@1 lsubmit(f); return false; } function touch_oC() { f = document.forms[0]; if (0 == check_selection(f)) { alert("No file(s) selected."); return false; } if (!confirm("Are you sure you want to change the timestamp of the selected files?")) return false; f.cmd.value="touch"; f.subcmd.value = ""; lsubmit(f); return false; } function copy_move_oC() { f = document.forms[0]; if (0 == check_selection(f)) { alert("No file(s) selected."); return false; } f.cmd.value="copy_move"; f.subcmd.value = ""; f.action = "/plesk/client@2/domain@1 lsubmit(f); return false; } function copy_file_oC() { f = document.forms[0]; f.file.value = f.destination.value; f.cmd.value = "copy_move"; f.subcmd.value = "copy"; lsubmit(f); return false; } function move_file_oC() { f = document.forms[0]; f.file.value = f.destination.value; f.cmd.value = "copy_move"; f.subcmd.value = "move"; lsubmit(f); return false; } function remove_oC() { f = document.forms[0]; if (0 == check_selection(f)) { alert("No file(s) selected."); return false; } f.cmd.value="remove"; f.subcmd.value = ""; f.action = "/plesk/client@2/domain@1 lsubmit(f); return false; } function remove_submit_oC() { f = document.forms[0]; if (!f.confirm.checked) { alert("You must confirm deletion."); return false; } f.cmd.value="remove"; f.subcmd.value = ""; lsubmit(f); return false; } function check_selection() { f = document.forms[0]; selected = 0; for (i = 0 ; i < f.elements.length; i++) { if ((f.elements[i].type == "checkbox") && (f.elements[i].name == "del[]") && f.elements[i].checked) { selected++; } } return selected; } function perm_click(t, id) { el = document.forms[0] switch (t) { case "ra": if (el["ra_perm[" + id + "]"].checked) { el["rd_perm[" + id + "]"].checked = false; el["fd_perm[" + id + "]"].checked = false; if (el["wa_perm[" + id + "]"].checked && el["xa_perm[" + id + "]"].checked) el["fa_perm[" + id + "]"].checked = true; } else el["fa_perm[" + id + "]"].checked = false; break; case "rd": if (el["rd_perm[" + id + "]"].checked) { el["ra_perm[" + id + "]"].checked = false; el["fa_perm[" + id + "]"].checked = false; if (el["wd_perm[" + id + "]"].checked && el["xd_perm[" + id + "]"].checked) el["fd_perm[" + id + "]"].checked = true; } else el["fd_perm[" + id + "]"].checked = false; break; case "wa": if (el["wa_perm[" + id + "]"].checked) { el["wd_perm[" + id + "]"].checked = false; el["fd_perm[" + id + "]"].checked = false; if (el["ra_perm[" + id + "]"].checked && el["xa_perm[" + id + "]"].checked) el["fa_perm[" + id + "]"].checked = true; } else el["fa_perm[" + id + "]"].checked = false; break; case "wd": if (el["wd_perm[" + id + "]"].checked) { el["wa_perm[" + id + "]"].checked = false; el["fa_perm[" + id + "]"].checked = false; if (el["rd_perm[" + id + "]"].checked && el["xd_perm[" + id + "]"].checked) el["fd_perm[" + id + "]"].checked = true; } else el["fd_perm[" + id + "]"].checked = false; break; case "xa": if (el["xa_perm[" + id + "]"].checked) { el["xd_perm[" + id + "]"].checked = false; el["fd_perm[" + id + "]"].checked = false; if (el["ra_perm[" + id + "]"].checked && el["wa_perm[" + id + "]"].checked) el["fa_perm[" + id + "]"].checked = true; } else el["fa_perm[" + id + "]"].checked = false; break; case "xd": if (el["xd_perm[" + id + "]"].checked) { el["xa_perm[" + id + "]"].checked = false; el["fa_perm[" + id + "]"].checked = false; if (el["rd_perm[" + id + "]"].checked && el["wd_perm[" + id + "]"].checked) el["fd_perm[" + id + "]"].checked = true; } else el["fd_perm[" + id + "]"].checked = false; break; case "fa": if (el["fa_perm[" + id + "]"].checked) { el["ra_perm[" + id + "]"].checked = true; el["wa_perm[" + id + "]"].checked = true; el["xa_perm[" + id + "]"].checked = true; el["rd_perm[" + id + "]"].checked = false; el["wd_perm[" + id + "]"].checked = false; el["xd_perm[" + id + "]"].checked = false; el["fd_perm[" + id + "]"].checked = false; } break; case "fd": if (el["fd_perm[" + id + "]"].checked) { el["rd_perm[" + id + "]"].checked = true; el["wd_perm[" + id + "]"].checked = true; el["xd_perm[" + id + "]"].checked = true; el["ra_perm[" + id + "]"].checked = false; el["wa_perm[" + id + "]"].checked = false; el["xa_perm[" + id + "]"].checked = false; el["fa_perm[" + id + "]"].checked = false; } break; } } </script> <script type="text/javascript"> Event.observe(window, 'load', function() { new Jsw.Pathbar({ id: 'pathbar', cls: 'pathbar clearfix', renderTo: 'pathbar-wrapper', items: [] }); }); </script> <div class="screenBody" id=""> <div id="warnings"></div> <form action="/plesk/client@2 <input type="text" name="iesingletextin <input type="hidden" name="forgery_protection <input type="hidden" name="cmd" value=""> <input type="hidden" name="lock" value="false"> <input type="hidden" name="previous_page" value=""> <input type="hidden" name="wizaction"> <div class="toolsArea"> <fieldset> <legend>Tools</legend> <div class="screenButtons"> <DIV class="commonButton" id="bid-create-dir" onMouseOver="tooltip.set <DIV class="commonButton" id="bid-create-file" onMouseOver="tooltip.set </div> </td></tr></table>< </div> <div class="listArea"> <fieldset> <legend>Files</legend> <script> function a(event) { tooltip.set(event, [{"type":"string","string function b(event) { tooltip.set(event, [{"type":"string","string function c(event) { tooltip.set(event, [{"type":"string","string function d(event) { tooltip.set(event, [{"type":"string","string function e(event) { tooltip.set(event, [{"type":"string","string function f(event, type) { switch (type) { case "pdir": tooltip.set(event, [{"type":"string","string break; case "dir": tooltip.set(event, [{"type":"string","string break; case "text": tooltip.set(event, [{"type":"string","string break; case "image": tooltip.set(event, [{"type":"string","string break; case "audio": tooltip.set(event, [{"type":"string","string break; case "security": tooltip.set(event, [{"type":"string","string break; case "webscript": tooltip.set(event, [{"type":"string","string break; case "wappage": tooltip.set(event, [{"type":"string","string break; case "webpage": tooltip.set(event, [{"type":"string","string break; case "compressed": tooltip.set(event, [{"type":"string","string break; case "unknown_text": tooltip.set(event, [{"type":"string","string break; case "unknown_binary": tooltip.set(event, [{"type":"string","string break; } } function g(event) { tooltip.set(event, [{"type":"string","string function h(event) { tooltip.set(event, [{"type":"string","string function i(event) { tooltip.set(event, [{"type":"string","string function download_hint(event) { tooltip.set(event, [{"type":"string","string function z() { tooltip.hide(); } function bin() { return confirm("This file may be a binary file. Do you want to open it?"); } </script> <div id="FileListSearch" class="actions-box show"><table width="100%" cellspacing="0" class="buttons"><tr><td class="main"><div><DIV class="commonButton" id="bid-remove-selected" onMouseOver="tooltip.set |