Details of VAR-201204-0235

ID

VAR-201204-0235

TITLE

Parallels Plesk Panel Unsafe File Permissions Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2012-2204

DESCRIPTION

Parallels Plesk Panel is a web host control panel with integrated web design, SaaS market and payment system. During the backup process, the PLESK panel will record the detailed log of the processing to /opt/psa/PMM/sessions (Debian/Ubuntu) and /usr/local/psa/PMM/sessions (Centos). The detailed log file is psadump. Log naming and globally readable, this file contains administrator information. Parallels Plesk Panel is prone to an insecure file-permission vulnerability. An attacker can exploit this issue to obtain sensitive information such as admin password. This may aid in further attacks

Trust: 0.99

sources: CNVD: CNVD-2012-2204 // BID: 53264 // IVD: 3ae87136-1f6a-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 3ae87136-1f6a-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-2204

AFFECTED PRODUCTS

vendor:	parallels	model:	plesk panel	scope:	eq	version:	9.5	Trust: 1.1
vendor:	parallels	model:	plesk panel	scope:	eq	version:	9.3	Trust: 0.9
vendor:	parallels	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	parallels	model:	plesk panel	scope:	eq	version:	9.3*	Trust: 0.2

sources: IVD: 3ae87136-1f6a-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-2204 // BID: 53264

CVSS

SEVERITY

CVSSV2

CVSSV3

IVD:	3ae87136-1f6a-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

IVD:	3ae87136-1f6a-11e6-abef-000c29c66e3d
severity:	NONE
baseScore:	NONE
vectorString:	NONE
accessVector:	NONE
accessComplexity:	NONE
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	UNKNOWN
Trust: 0.2

sources: IVD: 3ae87136-1f6a-11e6-abef-000c29c66e3d

THREAT TYPE

local

Trust: 0.3

sources: BID: 53264

TYPE

Design Error

Trust: 0.3

sources: BID: 53264

EXTERNAL IDS

db:	BID	id:	53264	Trust: 0.9
db:	CNVD	id:	CNVD-2012-2204	Trust: 0.8
db:	IVD	id:	3AE87136-1F6A-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: 3ae87136-1f6a-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-2204 // BID: 53264

REFERENCES

url:	http://www.allinfosec.com/2012/04/26/local-exploits-parallels-plesk-9-x-insecure-permissions/	Trust: 0.6
url:	http://www.plesk.com/html/index.htm	Trust: 0.3

sources: CNVD: CNVD-2012-2204 // BID: 53264

CREDITS

Nicolas Krassas

Trust: 0.3

sources: BID: 53264

SOURCES

db:	IVD	id:	3ae87136-1f6a-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2012-2204
db:	BID	id:	53264

LAST UPDATE DATE

2022-05-17T02:04:44.115000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2012-2204	date:	2012-04-28T00:00:00
db:	BID	id:	53264	date:	2012-04-26T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	3ae87136-1f6a-11e6-abef-000c29c66e3d	date:	2012-04-28T00:00:00
db:	CNVD	id:	CNVD-2012-2204	date:	2012-04-28T00:00:00
db:	BID	id:	53264	date:	2012-04-26T00:00:00