Summary

A critical Cross-Site Scripting (XSS) was identified and fixed in Plesk, aka PFSI-62465. In case your Plesk instance is vulnerable (you are running Plesk 17.0 to 18.0.31), a malicious subscription owner (customer or additional user) can fully compromise the server if an admin visits a certain page in Plesk related to the malicious subscription.

How Plesk website defines it self:

Plesk is the leading WebOps hosting platform to run, automate and grow applications, websites and hosting businesses. Being the only OS agnostic platform, Plesk is running on more than 430,000 servers, automating 12M+ websites and 16.5M+ mail boxes. Available in more than 32 languages across 140 countries, 50% of the top 100 service providers worldwide are partnering with Plesk today.

Vulnerable Plesk versions: from 17.0 to 18.0.31.

Fixed on: Plesk Obsidian 18.0.32.

How I discovered it?

After a while trying to find an XSS in the Plesk panel and testing different end points I found out that the attacker can insert malicious code into their domain description. How did I get there? Well, when I was inserting a polyglot XSS payload, I had a very strange output. This made me suspect that maybe the field was potentially vulnerable.

This is the payload I used:

1

After that, when I saved, I saw that \x3csVg/ was printed out of the text area.

2

So my intuition told me to insert <img src=x onerror=alert(1);> as XSS payload in place of the x3csVg text. Wich I did, resulting in:

And … voilá!

3

I realized that the customer can insert malicious code in any domain description that will be executed in the administrator account if the administrator visit it. An attacker can insert unsanitized JavaScript closing the HTML tag <textarea> and inserting the malicious code later.

The final exploit to insert must look like this:

</textarea><!-- malicious code !-->

References