CVE-2011-4765 in Plesk Small Business Panel
Summary
by MITRE
The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by Wizard/Edit/Modules/ImageGallery/MultiImagesUpload and certain other files.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/22/2018
The vulnerability described in CVE-2011-4765 resides within the Site Editor functionality of Parallels Plesk Small Business Panel version 10.2.0, representing a critical security flaw that undermines the integrity of session management mechanisms. This issue specifically affects the HTTPOnly flag implementation in Set-Cookie headers, which serves as a fundamental defense mechanism against cross-site scripting attacks. The absence of this flag creates a significant attack surface that malicious actors can exploit to gain unauthorized access to sensitive session data through client-side script execution.
The technical flaw manifests when the Site Editor component fails to properly configure the HTTPOnly attribute in cookie headers for various administrative interfaces including Wizard, Edit, Modules, ImageGallery, and MultiImagesUpload functionalities. This omission allows attackers to execute malicious scripts that can access cookies through JavaScript interfaces, bypassing the intended server-side restrictions. The vulnerability operates under CWE-1004 which categorizes insecure cookie attributes as a weakness that can lead to information disclosure and session hijacking scenarios.
The operational impact of this vulnerability extends beyond simple information disclosure, creating potential pathways for privilege escalation and persistent unauthorized access to administrative panels. Attackers can leverage this weakness to harvest session cookies and subsequently impersonate legitimate users with elevated privileges, particularly targeting the administrative interfaces that manage website configurations and user accounts. This risk is compounded by the fact that the vulnerability affects core administrative components that are frequently accessed during routine site management tasks.
Security professionals should recognize this issue as a variant of the broader ATT&CK technique T1566 which encompasses credential access through various means including web application vulnerabilities. The vulnerability's exploitation potential aligns with the ATT&CK framework's emphasis on maintaining access through compromised session management. Organizations running affected versions of Parallels Plesk Small Business Panel should implement immediate mitigations including manual patching of the affected components, enforcement of proper HTTPOnly flag implementation across all session cookies, and comprehensive security auditing of web application cookie handling mechanisms.
The remediation strategy must include comprehensive patch management procedures, automated cookie attribute validation, and regular security assessments of web application frameworks. Organizations should also consider implementing additional security controls such as secure cookie flags, proper session timeout configurations, and network-level monitoring to detect and prevent exploitation attempts. The vulnerability demonstrates the critical importance of proper cookie security implementation as outlined in OWASP Top Ten security requirements, particularly in administrative web interfaces where session hijacking can lead to complete system compromise.