CSRF in Plesk API enabled server takeover


Client-side request forgery (CSRF) was a weakness in the Plesk REST API that could be used to launch a variety of potential attacks, including malicious file uploads and server takeovers. Web hosting and data centre providers frequently use the administration tool Plesk. Typically, users manage their websites and file servers through the web interface.

Extensive testing and security flaws have been fixed in this interface. Adrian Tiron, a security researcher at Fortbridge, discovered that the REST API, which grants access to Plesk’s capabilities to third-party programmes, was less reliable than its online user interface counterpart.

Read More…