Plesk’s REST API is vulnerable to client-side request forgery (CSRF), which can lead to multiple potential attacks, including malicious file upload and server takeover. Plesk is a very popular administration tool for web hosting and data center providers. Users usually use its web interface to manage their websites and file servers. This interface has been thoroughly tested and patched against security holes.
However, Adrian Tirone, a security researcher at FortBridge, found that the REST API that allows third-party programs to access Plesk’s functionality is not as robust as its web user interface counterpart.
Client side request forgery
While researching Plesk during a project for one of his clients, Thiran discovered that there were no safeguards against CSRF when calling the REST API from a logged-in administrator’s browser. This flaw means that if an attacker lures a Plesk admin to visit a malicious page, they can perform cookieless CSRF attacks on the server.
Many API endpoints can be attacked via a cookieless CSRF exploit. Most interestingly, Tiran said, is an endpoint that supports various commands, including changing the administrator password. Using this endpoint, the researcher was able to hijack an administrative user account and gain full control over the host.
“Admin access in Plesk is very powerful. Plesk is used to fully manage hosts through a web interface so it has root [access],” Tiran told The Daily Swig.
Other minor bugs
Other endpoints can be exploited by other CSRF attacks, including exploits that allow MySQL and FTP users to be created on the Plesk server.
Because the MySQL port is blocked externally by default, adding a database user has limited effect.
“However, if [MySQL] is misconfigured, it can give RCE [remote code execution] on the server as a limited user — a rare scenario we expect,” Thiran said. An FTP user gives an attacker “RCE as a limited user (at least) because the attacker can upload a web shell,” he added.
Plesk’s web interface uses the Authorization header, which prevents unauthenticated access to the administration tool pages. After the user enters their credentials, the browser automatically adds appropriate headers to the requests, allowing the server to distinguish authenticated users. Authorization headers also prevent accidental unauthenticated access to REST API endpoints. But all these can be circumvented by HTML-based CSRF attacks.
“Developers thought they were protected from CSRF because they were using the Authorization header,” Thiran said. “While this is true for requests created with XHR (an attacker needs to know this header to add it to the request), it’s not true if you’re using HTML forms – in this case, the browser adds the Authorization header automatically. , by design.”
Plesk bug fixed. According to the company, 98.4% of Plesk servers are automatically updated and therefore not affected. Tiron recommends that developers ensure that all POST requests that change server state implement CSRF mitigation using the Synchronizer Token pattern or the Double Submit Cookie pattern. “Based on our experience we recommend the former,” Tiran concluded.
