CVE-2011-4849 in Plesk Panel
Summary
by MITRE
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session, as demonstrated by cookies used by help.php and certain other files.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/15/2018
The vulnerability identified as CVE-2011-4849 affects Parallels Plesk Panel version 10.4.4_build20111103.18 where the Control Panel fails to properly configure session cookies with the secure flag during https sessions. This configuration oversight creates a significant security weakness that directly violates fundamental web application security principles. The secure flag is a critical HTTP cookie attribute that instructs web browsers to only transmit cookies over encrypted https connections, preventing interception during transmission. When this flag is omitted, cookies become vulnerable to man-in-the-middle attacks and session hijacking attempts.
This flaw specifically impacts the help.php script and other related files within the Plesk Control Panel interface. The vulnerability enables remote attackers to capture session cookies by intercepting their transmission during http sessions, effectively undermining the security of the entire control panel environment. The attack vector is particularly dangerous because it exploits the fundamental trust model between web browsers and servers, where the secure flag serves as a critical defense mechanism. This weakness aligns with CWE-614, which addresses the improper use of secure cookies, and represents a classic example of insufficient transport layer protection that violates industry security standards.
The operational impact of this vulnerability extends beyond simple session theft, as compromised cookies can provide attackers with unauthorized access to administrative functions within the Plesk panel. Attackers can leverage captured session identifiers to perform administrative actions, modify server configurations, access sensitive customer data, and potentially escalate privileges within the hosting environment. This vulnerability particularly affects environments where mixed http and https traffic occurs, as the secure flag is not properly enforced, creating opportunities for cookie interception during protocol transitions or when users navigate between http and https pages.
Organizations should immediately implement mitigations including enforcing strict cookie security policies, ensuring all session cookies are configured with the secure flag, and implementing proper session management practices. The remediation process involves modifying the Plesk Control Panel configuration to explicitly set the secure flag for all session cookies, which can be achieved through configuration file updates or code-level modifications. Security teams should also implement network monitoring to detect potential cookie interception attempts and establish proper encryption policies for all web applications. This vulnerability demonstrates the critical importance of adhering to the principle of least privilege and proper cookie security implementation, as outlined in the ATT&CK framework's credential access tactics, particularly those involving session hijacking and credential theft through network interception methods.