SWsoft Plesk PLESKSESSID Parameter Multiple SQL Injection Vulnerabilities

Bugtraq ID:	25646
Class:	Input Validation Error
CVE:	CVE-2007-4892
Remote:	Yes
Local:	No
Published:	Sep 12 2007 12:00AM
Updated:	Apr 16 2015 06:09PM
Credit:	Nick I Merritt is credited with the discovery of these vulnerabilities.
Vulnerable:	SWSoft Plesk 8.2 SWSoft Plesk 8.1.1 SWSoft Plesk 8.1 SWSoft Plesk 7.6.1
Not Vulnerable:

SWsoft Plesk PLESKSESSID Parameter Multiple SQL Injection Vulnerabilities

Plesk is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Plesk 7.6.1, 8.1.0, 8.1.1, and 8.2.0 for Microsoft Windows are vulnerable; other versions running on different platforms may also be affected.

SWsoft Plesk PLESKSESSID Parameter Multiple SQL Injection Vulnerabilities

Attackers can use a browser to exploit these issues.

The following proofs of concept are available:

• /data/vulnerabilities/exploits/25646.txt

SWsoft Plesk PLESKSESSID Parameter Multiple SQL Injection Vulnerabilities

Solution:
The vendor released updates to address these issues. Please see the references for more information.

SWsoft Plesk PLESKSESSID Parameter Multiple SQL Injection Vulnerabilities

References:

• [FIX] SQL Injection vulnerability (SWsoft)
  
• Plesk Homepage (SWsoft)
  
• RE: ScanAlert Security Advisory ([email protected])