CVE-2011-4738 in Plesk Panel
Summary
by MITRE
The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by get_password.php and certain other files.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/26/2018
The vulnerability identified as CVE-2011-4738 represents a critical security flaw in the Parallels Plesk Panel 10.2.0 build 20110407.20 control panel implementation. This issue manifests in the improper handling of session cookies within the web application's HTTP response headers, specifically affecting the authentication and session management mechanisms that are fundamental to the platform's security architecture. The vulnerability exists within the core web application framework that manages user access and administrative functions for hosting control panels.
The technical flaw occurs when the control panel generates Set-Cookie headers for session management purposes without implementing the HTTPOnly flag in the cookie attributes. This omission creates a cross-site scripting vulnerability that allows remote attackers to access session cookies through client-side script execution. The HTTPOnly flag serves as a crucial security mechanism that prevents client-side scripts from accessing cookie values, thereby protecting against session hijacking attacks. Without this flag, malicious scripts can easily extract sensitive session identifiers from the browser's cookie storage and use them to impersonate legitimate users.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to escalate privileges and gain unauthorized access to administrative functions within the Plesk Panel. The attack vector is particularly concerning because it affects critical files such as get_password.php and other authentication-related components that handle sensitive user information. This vulnerability directly violates the principle of least privilege and undermines the integrity of the authentication system, potentially allowing attackers to compromise entire hosting environments and access multiple customer accounts simultaneously.
The vulnerability aligns with CWE-1004 which describes insecure default settings in web applications, specifically focusing on the absence of proper security flags in HTTP headers. From an ATT&CK framework perspective, this issue maps to T1566 (Phishing) and T1548.001 (Abuse Elevation of Privilege) as attackers can leverage the exposed session cookies to perform credential theft and elevate their privileges within the system. The vulnerability also relates to T1213 (Data from Information Repositories) as it enables unauthorized access to sensitive user data stored within the Plesk Panel environment.
Organizations affected by this vulnerability should implement immediate mitigations including patching the Plesk Panel to the latest version that addresses this specific issue, manually adding the HTTPOnly flag to all Set-Cookie headers within the affected applications, and conducting thorough security assessments of all web applications running on the platform. Additionally, network administrators should monitor for suspicious activities and implement proper web application firewalls to detect and prevent exploitation attempts. The recommended approach involves both immediate remediation through patch management and long-term security hardening measures that ensure all session cookies are properly secured with appropriate security attributes including HttpOnly, Secure, and SameSite flags to prevent similar vulnerabilities from occurring in the future.