Plesk – Content Disclosure (Root Access) (R911-0005)

Type: Content Disclosure (Root Access)
Impact: High
Product: Plesk
Website: http://www.plesk.com
Vulnerable Version: v11.0.9 #49 and prior.
Fixed Version: v11.0.9 #50 and later.
CVE: -
R911: 0005
Date: 2013-05-20
By: http://www.rack911.com

Product Description:

Parallels “Plesk”  allows a server administrator to set up new websites, reseller accounts, e-mail accounts, and DNS entries through a web-based interface. The administrator can create client and site templates, which predetermine resource-allocation parameters for the domains and/or clients.

Vulnerability Description:

There is a flaw within the website copying feature that allows an attacker to use a hardlink (ln) to any file on the server which will then be copied to the destination. This attack can be done by all users and SSH access is not required for it to work.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow and any private SSH keys.

Vulnerable Version:

This vulnerability was tested against Plesk v11.0.9 #49.

Fixed Version:

This vulnerability was patched in Plesk v11.0.9 #50 and later.

Vendor Contact Timeline:

2013-05-09: Vendor contacted via email.
2013-05-13: Vendor confirms vulnerability.
2013-05-14: Vendor issues v11.0.9 #50 update.
2013-05-20: Rack911 issues security advisory.