• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

PCI Compliance: jsw.js

U

ukOliverS

New Pleskian
Hey,

On performing a PCI compliance scan from SecurityMetrics against a fully patched Plesk server (11.5):

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<patches>
<product id="plesk" version="11.5.30" installed-at="20130821T010234">
<patch version="13" timestamp="" installed-at="20130824T112258" />
</product>
</patches>
Click to expand...

The following issue is highlighted:

Description: CGI Generic Command Execution (time-based)
Synopsis: It may be possible to run arbitrary code on the remote web server.

Impact: The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By
leveraging this issue, an attacker may be able to execute arbitrary commands on the remote host.
Note that this script uses a time-based detection method which is less reliable than the basic method.



Data Received: Using the GET HTTP method, SecurityMetrics found that :
+ The following resources may be vulnerable to arbitrary command execution (time based) :
+ The '1376892702' parameter of the /javascript/jsw.js CGI : /javascript/jsw.js?
1376892702=%7C%7C%20sleep%2021%20%26
-------- output -------- // Copyright 1999-2012. Parallels IP Holdings GmbH. All Rights Reserved. /*
JavaScript Widgets */
Jsw = {
version: '1.0', baseUrl: '',
_registredComponents: null, _initOnReady: false, [...] ------------------------
Click to expand...

SM are happy to mark it as a false positive but first need to clarify exactly what this file does. Suspect this is a false positive but would appreciate some input from Parallels.
 
Judging by the source (available at /usr/local/psa/admin/htdocs/javascript/jsw.js) it's just a JavaScript library. Since it is served as static content, it couldn't be affected by any GET parameters, IMO. Therefore this time-based check should be a false positive. You should probably wait for the official comment though.
 
1376892702 is a timestamp. It's needed to control browser cache and nothing more. If jsw.js changed on the server (new version of Plesk was installed) new timestamp will be generated, that will force the browser to repeat request for jsw.js instead of using file retrieved earlier. File jsw.js is a static JavaScript file and its content could not be affected anyhow by GET parameters.
 
You must log in or register to reply here.

Similar threads

danami
Input Sentinel Anti-malware Extension for Plesk
Replies
6
Views
3K
danami
danami
raytracy
Resolved Backup job cannot find domain?
Replies
2
Views
1K
raytracy
raytracy
J
Vulnerability in ProFTP 1.3.3d (PCI Compliance)
Replies
4
Views
2K
JohnToTheK
J
D
Help with PCI compliance | SMTP SSL | Courier IMAP | Port 3306
Replies
2
Views
4K
Deoxymono
D
D
PCI Compliance Issues
Replies
2
Views
2K
Jllynch
Jllynch
Back
Top