• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

PCI Compliance: jsw.js

U

ukOliverS

New Pleskian
Hey,

On performing a PCI compliance scan from SecurityMetrics against a fully patched Plesk server (11.5):

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<patches>
<product id="plesk" version="11.5.30" installed-at="20130821T010234">
<patch version="13" timestamp="" installed-at="20130824T112258" />
</product>
</patches>
Click to expand...

The following issue is highlighted:

Description: CGI Generic Command Execution (time-based)
Synopsis: It may be possible to run arbitrary code on the remote web server.

Impact: The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By
leveraging this issue, an attacker may be able to execute arbitrary commands on the remote host.
Note that this script uses a time-based detection method which is less reliable than the basic method.



Data Received: Using the GET HTTP method, SecurityMetrics found that :
+ The following resources may be vulnerable to arbitrary command execution (time based) :
+ The '1376892702' parameter of the /javascript/jsw.js CGI : /javascript/jsw.js?
1376892702=%7C%7C%20sleep%2021%20%26
-------- output -------- // Copyright 1999-2012. Parallels IP Holdings GmbH. All Rights Reserved. /*
JavaScript Widgets */
Jsw = {
version: '1.0', baseUrl: '',
_registredComponents: null, _initOnReady: false, [...] ------------------------
Click to expand...

SM are happy to mark it as a false positive but first need to clarify exactly what this file does. Suspect this is a false positive but would appreciate some input from Parallels.
 
Judging by the source (available at /usr/local/psa/admin/htdocs/javascript/jsw.js) it's just a JavaScript library. Since it is served as static content, it couldn't be affected by any GET parameters, IMO. Therefore this time-based check should be a false positive. You should probably wait for the official comment though.
 
1376892702 is a timestamp. It's needed to control browser cache and nothing more. If jsw.js changed on the server (new version of Plesk was installed) new timestamp will be generated, that will force the browser to repeat request for jsw.js instead of using file retrieved earlier. File jsw.js is a static JavaScript file and its content could not be affected anyhow by GET parameters.
 
You must log in or register to reply here.

Similar threads

iain
Question PCI compliance - Postfix EXPN/VRFY issue
Replies
1
Views
873
iain
iain
P
Issue Can kernel be updated in Centos without breaking Plesk.
Replies
2
Views
2K
Bitpalast
Bitpalast
akira9000
Resolved Just had a bumpy ride upgrading from Plesk 17.8.11 to Obsidian 18.0.28
Replies
10
Views
3K
akira9000
akira9000
Mark12345
Issue A+ SSL/TLS Test - PCI Compliance - Ciphers - Oh My
Replies
8
Views
5K
Mark12345
Mark12345
R
With PCI Compliance enabled, Horde Webmail stops working
Replies
1
Views
2K
B_P
B
Back
Top