CVE-2011-4735 in Plesk Panel
Summary
by MITRE
Multiple cross-site scripting (XSS) vulnerabilities in the Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by smb/user/create and certain other files.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/16/2018
The vulnerability CVE-2011-4735 represents a critical cross-site scripting weakness discovered in Parallels Plesk Panel version 10.2.0 build 20110407.20 within its Control Panel interface. This flaw resides in the server management platform that thousands of web hosting providers and system administrators rely upon to manage their hosting environments. The vulnerability specifically affects PHP scripts that handle user input processing, creating a pathway for malicious actors to execute arbitrary web scripts or HTML code within the context of authenticated user sessions.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding mechanisms within the control panel's PHP scripts. Attackers can exploit this weakness by crafting malicious input payloads and submitting them through specific endpoints such as smb/user/create and other related files within the application's attack surface. The flaw operates under CWE-79 which categorizes cross-site scripting vulnerabilities as a result of insufficient sanitization of user-supplied data before its inclusion in dynamically generated web pages. This particular implementation allows remote attackers to inject malicious scripts that execute in the browser of authenticated users who visit affected pages.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to escalate privileges and compromise entire hosting environments. When authenticated users interact with compromised pages, the malicious scripts can steal session cookies, modify user permissions, access sensitive administrative functions, and potentially establish persistent backdoors within the hosting infrastructure. The attack vector operates through standard web-based exploitation techniques that align with ATT&CK technique T1566 for initial access through web applications. The vulnerability affects the integrity and confidentiality of the entire control panel environment, potentially allowing attackers to gain unauthorized access to multiple customer accounts and hosting resources managed through the compromised platform.
Mitigation strategies should include immediate implementation of input validation controls, output encoding, and proper sanitization of all user-supplied data within the affected PHP scripts. Organizations should deploy web application firewalls to detect and block malicious payloads, update to the latest available version of Parallels Plesk Panel where the vulnerability has been patched, and implement strict access controls for administrative functions. Security teams should conduct comprehensive code reviews of all PHP applications handling user input, establish proper logging and monitoring for suspicious activities, and ensure that all users receive security awareness training regarding the dangers of executing untrusted code. The vulnerability demonstrates the critical importance of maintaining up-to-date security patches and implementing defense-in-depth strategies to protect against persistent threats targeting web application interfaces.