1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

[PLESK 7.5 Reload] & [PLESK 7.6 for MS Windows] path passing and disclosure vulnerabi

Discussion in 'Plesk for Linux - 8.x and Older' started by lvalics, Sep 24, 2006.

  1. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    /*--------------------------------------
    [PLESK 7.5 Reload (and lower) & PLESK 7.6 for M$ Windows path passing and disclosure]
    Discovered By: GuanYu
    Email: guanyu_vn@yahoo.com
    Website: HVA (http://www.vnhacker.org)
    --------------------------------------*/

    -| Description: |-

    PLESK is a powerful web control panel, site builder... You can see more about it at:

    http://www.swsoft.com/en/products/plesk/switch/ .
    So, i have found a security hole - path passing and disclosure - of this product (version

    [PLESK 7.5 Reload] and [PLESK 7.6 for M$ Windows]) in the file : filemanager.php


    -| What an attacker can do? |-

    The attacker can take advantage of this hole to access the parent folder (which he havent

    authorization).
    Like this:

    https://[stie]:8443/filemanager/filemanager.php?cmd=chdir&file=../

    That URL will show him (attacker) the parent folder of his "web root" folder. Using more

    "/../" characters, he'll go to up, up, and up folder so he can gain lot of important info.

    -| How to fix it? |-

    Upgrade to the PLESK 8.0 :D.

    - End -

    P/S: Sorry about my English, its to bad.
     
Loading...