Plesk 10 & 11 SSO XXE/XSS
This blog post is about complete failure that resulted in a win. In IRC I noticed people chatting about the offensive-security.com bugbounty. As they are the provider of what are meant to be some of the best security courses and certificates in the business. I looked fondly towards this as a great challenge. I decided to set aside 2 or 3 hours this evening to have a poke at their sites. I'm currently in the closing stages of my final year in college so I've been very busy of late, this few hours is all I could spare.
After some searching and fumbling around I came across the domain https://sun.backtrack-linux.org. This then redirected me to an ns******.ovh.net domain. I was greeted with the familiar page of a Parallels plesk panel. This if you are unfamiliar is used by many hosting and service providers as a way of managing multiple web services. It is an interesting bit of software. It allows some lower level administrative tasks be managed from a single web interface. This is perfect for anyone who may be into that sort of thing. It could also be seen as a web hosting package manager. The image you see below is a default placeholder page for a service that was just set up.
Since I was familiar with plesk, I Immediately appended port 8443 to my request. After some strange redirects I was sent to a login page. This page had "Parallels Plesk Panel 11.0.9" as the title. The url after the redirects looked like the following: https://ns******.ovh.net:8443/sso/ui. At this point I was sure there was something amiss here. I googled sso and discovered this was plesk Single sign on.
I knew offensive-security didn't accept reflective cross site scripting as part of their bounty but I reported it anyway, solely because at this point I was convinced I had just XSS'd one of their admin panel plesk domains. The proof of concept for the XSS is at the following location makthepla.net/pleskXSSpoc.php?url=
Next I tried playing around with some Xml External Entity injection. I simply took the format of the XMl and changed it to include /etc/passwd This can't work right? WRONG. I was greeted with the following... I can now read arbitrary files from your webserver bro. I sent this information onto offensive-security.com, still convinced I'd just made myself $500. Turns out it was an old domain and they didn't own the IP. Oops... Luckily there was nothing on it yet.
I created a proof of concept for this too, at the following location makthepla.net/pleskXXEpoc.php?url= The URl param is simply inserted into the form for you.
So, I don't have the time to set up an environment to test exactly what versions are vulnerable. The latest versions (12x) and the older (8x & 9x) varieties don't seem to be, nor do any Windows or Nginx versions. For this to work SSO needs to be enabled (which it seems to be by default) and you need to be redirected to /relay for this to work. I tested this bug on a few 11.0.9 and 10.4.4 varieties and it worked successfully. Through some google-fu there did seem to be a lot of sites using these versions. Don't shoot the messenger ;)
So I failed to get a bounty, but I did find a neat bug that I'm pretty sure wasn't publicly disclosed before. If it has been I certainly haven't found it. I'll eventually write this up more formally and submit it to full-disclosure or something... I love finding bugs in slightly older software that was somehow missed by many. Anyway! HAPPY HUNTING