CVE-2011-4729 in Plesk Panel
Summary
by MITRE
The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by login_up.php3 and certain other files.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/29/2018
The vulnerability identified as CVE-2011-4729 represents a critical security flaw in the Parallels Plesk Panel 10.2.0 build 101110331.18 server administration interface. This issue manifests as a missing HTTPOnly flag in Set-Cookie headers, creating a significant vector for cross-site scripting attacks and session hijacking. The vulnerability specifically affects the login_up.php3 script and related authentication components within the Plesk control panel environment, where session cookies are transmitted without proper security protections that would prevent client-side script access.
The technical implementation flaw occurs when the server generates authentication cookies for user sessions, failing to include the HTTPOnly attribute in the Set-Cookie header response. This attribute is essential for preventing malicious scripts from accessing cookie data through DOM manipulation techniques such as document.cookie access. Without this protection, an attacker who successfully injects malicious JavaScript into a vulnerable web page could easily extract session tokens and impersonate legitimate users. The vulnerability aligns with CWE-1004 which specifically addresses the lack of HTTPOnly flag in cookies, making it a well-documented weakness in web application security practices.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables authenticated attackers to escalate privileges and gain unauthorized access to administrative functions within the Plesk panel. Attackers can leverage this weakness to capture active session identifiers, potentially leading to complete system compromise and unauthorized management of hosted websites and services. The vulnerability affects the core authentication mechanism of the control panel, making it particularly dangerous for hosting providers who rely on Plesk for managing multiple customer accounts and sensitive web hosting data.
Security professionals should recognize this issue as a fundamental web application security gap that aligns with ATT&CK technique T1566.002 for credential access through web application vulnerabilities. The vulnerability demonstrates poor security implementation practices in cookie management and highlights the importance of following secure coding guidelines for web applications. Organizations should implement immediate mitigations including manual patching of the Plesk installation, deployment of web application firewalls, and implementation of additional monitoring for suspicious authentication-related activities. The recommended remediation approach includes updating to patched versions of Plesk Panel, implementing proper cookie security headers, and conducting comprehensive security assessments of all web applications to ensure similar vulnerabilities are not present in other components of the hosting infrastructure.