This exploit details multiple vulnerabilities in Parallels Plesk Sitebuilder, including authentication bypass, arbitrary file upload, arbitrary file download, XSS, and unauthorized website creation. It provides step-by-step instructions for exploiting these flaws, particularly focusing on uploading a shell via a file extension manipulation technique.
Classification
Working Poc 90%
Attack Type
Auth Bypass | Rce | Info Leak | Xss
Target:
Parallels Plesk Sitebuilder 4.5 (and associated Plesk Panel 9.5)
No auth needed
Prerequisites:
Access to the target web interface · Live HTTP Headers tool for file upload exploitation · A crafted shell file for RCE