• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

[PLESK 7.5 Reload] & [PLESK 7.6 for MS Windows] path passing and disclosure vulnerabi

lvalics

lvalics

Silver Pleskian
Plesk Guru
/*--------------------------------------
[PLESK 7.5 Reload (and lower) & PLESK 7.6 for M$ Windows path passing and disclosure]
Discovered By: GuanYu
Email: [email protected]
Website: HVA (http://www.vnhacker.org)
--------------------------------------*/

-| Description: |-

PLESK is a powerful web control panel, site builder... You can see more about it at:

http://www.swsoft.com/en/products/plesk/switch/ .
So, i have found a security hole - path passing and disclosure - of this product (version

[PLESK 7.5 Reload] and [PLESK 7.6 for M$ Windows]) in the file : filemanager.php


-| What an attacker can do? |-

The attacker can take advantage of this hole to access the parent folder (which he havent

authorization).
Like this:

https://[stie]:8443/filemanager/filemanager.php?cmd=chdir&file=../

That URL will show him (attacker) the parent folder of his "web root" folder. Using more

"/../" characters, he'll go to up, up, and up folder so he can gain lot of important info.

-| How to fix it? |-

Upgrade to the PLESK 8.0 :D.

- End -

P/S: Sorry about my English, its to bad.
 
You must log in or register to reply here.

Similar threads

S
Critical Plesk vulnerability
Replies
6
Views
5K
IgorG
IgorG
D
How Do I Allow Parent Path (../) in Windows server with Plesk
Replies
3
Views
6K
TRGEN
T
T
Plesk 7.5 reloaded cannot find wvHtml to view word document.
Replies
0
Views
2K
tcong
T
L
Error about File Manager in Plesk 7.5.1
Replies
0
Views
2K
line
L
J
Migrate from Plesk 7 Reloaded for RH9 to 7.5 windows
Replies
2
Views
2K
jhankins
J
Back
Top