Plesk is a very popular administration tool for web hosting and data center providers. Users usually use its web interface to administer their websites and file servers. It’s the main choice of web hosting providers these days being used by 86.7% of the websites that use a web panel for administration.
Andrian Tiron, a security researcher at Fortbridge, discovered that when the REST API is called from the browser of a logged-in administrator, there are no defenses against CSRF. This shortcoming meant that if an attacker lures the Plesk admin to visit a malicious page, they could stage cookieless CSRF attacks against the server.
Several API endpoints could be attacked through the cookieless CSRF exploit.
The most interesting, said Tiron, was an endpoint that supported different commands, including changing the administrator’s password. Using this endpoint, the researcher was able to hijack the admin user account and gain full control of the host.
“Admin access in Plesk is very powerful. It’s identical to having root access because Plesk is used to fully manage hosts via the web interface,”. The developers probably thought that they’re protected against the CSRF because they’re using the Authorization header,” Tiron said.
“While this is true for requests created with XHR (the attacker would need to know this header to add it to the request), this is not true if you’re using HTML forms – in this case, the browser attaches the Authorization header automatically, by design.”
Impacted Plesk Versions
In Plesk versions starting from Plesk 17.8 attacker can execute commands and/or alter settings including the change of the admin’s password.
98.4% of the Plesk servers had the extension updated automatically and were not impacted.
Fixes were delivered as follows:
- For Plesk versions 18.0.26 and newer on July 5, 2022
- For Plesk versions 17.8.10 – 18.0.25 in late Sep 26, 2022
Call to Action
The vulnerability was fixed in scope of the Rest API extension update.
Therefore in case the Daily Maintenance scheduled task isn’t working on the server, the following steps should be taken to check if the vulnerability persists:
- Connect to the server via SSH / Connect to the server via RDP
- Execute the next command: plesk db “select name, version from Modules where name = ‘rest-api'”
The Rest API version should be:
- For Plesk version 18.0.26 and newer:
1.5.9 or higher
- For Plesk versions 17.8.10 – 18.0.25:
1.4.8 or higher
If the version is lower than the aforementioned in the environment in question, it is needed to upgrade the Rest-API extension by executing the next command:
For Plesk version starting from 18.0.26: plesk bin extension -g rest-api
For Plesk versions 17.8.10 – 18.0.25: plesk bin extension –upgrade-url https://ext.plesk.com/packages/5d72bca6-ab97-4faf-89a4-5ea9ee5a4d1f-rest-api/download?1.4.8-197
Implement CSRF Mitigation During Development
Tiron recommended that developers make sure that all POST requests that change the server state implement CSRF mitigation using either the synchronizer token pattern or the double submit cookie pattern.