Info

Disclosure

Sep 11, 2007

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Plesk contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the program not properly sanitizing the PLESKSESSID cookie before being used in SQL statements. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, SWSoft has released a patch to address this vulnerability.

Products

SWSoft	Plesk for Windows	7.6.1
		8.1.0
		8.1.0.3
		8.1.1.2
		8.2

References

CVE ID: 2007-4892 (see also: NVD)
Bugtraq ID: 25646
Secunia Advisory ID: 26741
SCIP VulDB ID: 3306
ISS X-Force ID: 36580
Related OSVDB ID: 50939
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-09/0114.html
Other Advisory URL: http://kb.swsoft.com/en/2159

Credit

Nick I Merritt - HackerSafe Labs

Direct URL: http://osvdb.org/37009

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

SWSoft

Plesk for Windows

References

Credit