• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Web Server Cross Site Scripting

Martin73

Basic Pleskian
I am scanning my server regularly with the service ScanMyServer from Beyond Security. Recently I have got following result:
The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability.
The vulnerability is caused when the result returned to the user when a non-existing file is requested contains the original URL (e.g. the result contains the JavaScript provided in the request).
The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).
Code:
Sample URL: https://www.mydomain.com:443/index.php?param=">alert(document.cookie)< /script>.php
Sample Request:
===
GET /index.php?param=">alert(document.cookie)</script>.php HTTP/1.1
Connection: Close
Host: www.mydomain.com
Pragma: no-cache
User-Agent: Mozilla/5.0 (X11
U
Linux i686
en-US
rv:1.7.8)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

How can I change the setting to protect the server?

My virtual server:
Ubuntu 16.04.4 LTS‬
Plesk Onyx 17.8.11
 
The underlying cause of this is not so much related to your server but rather that your index.php script or your application is not sanitizing inputs.

Inputs passed to sites or pages may be legitimate or nefarious in nature so while there are tools that run at the server or CDN level to scan for and block those requests, you would be better off fixing the script itself since the PHP script is what is enabling anyone to pass scripts that directly rendered on the page.

The takeaway here is that it's not a Plesk or OS issue.
 
You're right. I have adapted the htaccess file and will wait for the result of the next security scan.
 
Back
Top