Plesk Panel Input Validation Flaw Lets Remote Users Inject SQL Commands
|
|
SecurityTracker Alert ID: 1027243 |
|
SecurityTracker URL: http://securitytracker.com/id/1027243
|
|
CVE Reference:
CVE-2012-1557
(Links to External Site)
|
Date: Jul 12 2012
|
Impact:
Disclosure of system information, Disclosure of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 10.4.x
|
Description:
A vulnerability was reported in Plesk Panel. A remote user can inject SQL commands.
The 'admin/plib/api-rpc/Agent.php' script does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.
This vulnerability is being actively exploited.
[Editor's note: Some sources have reported that an exploit for a different vulnerability affecting version 10.4.x may be available. The vendor reports that there is no new vulnerability, but rather, some customers are being re-hacked after not fully applying the fix by removing existing sessions. See the Solution section.]
|
Impact:
A remote user can execute SQL commands on the underlying database.
|
Solution:
The vendor has issued a fix.
The fix also includes a Mass Password Reset Script that must be executed to remove existing sessions and prevent a recurrence.
The vendor's advisory is available at:
http://kb.parallels.com/en/113321
|
Vendor URL: kb.parallels.com/en/113321 (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
