HelioHost Posted February 14, 2024 Posted February 14, 2024 Username: N/A, Server: N/A, Main Domain: N/A---------- Forwarded message --------- From: Danish Tariq Date: Wed, Feb 14, 2024 at 5:21?PM Subject: Open Redirect in Plesk Obsidian through 18.0.49 To: Cc: Hassan Khan Hello Team, We have identified a vulnerability and we have provided the details below for your consideration. Plesk Obsidian through version 18.0.49 contains an open redirect vulnerability via the login page. An attacker can exploit this by manipulating the host request header, enabling them to redirect users to malicious websites. Consequently, this allows unauthorized access to user credentials and the execution of malicious operations. It's important to note that the vendor's stance is that "the ability to use arbitrary domain names to access the panel is an intended feature." - CVE-2023-24044 *Proof of concept: *https://allgaeuwetter.heliohost.org/login.php *Impact:* Successful exploitation of this vulnerability could empower an attacker to redirect users to malicious websites. This opens the door to potential phishing attacks and the theft of sensitive information. *Remediation:* To mitigate this vulnerability, it is strongly recommended to upgrade Plesk Obsidian to a version higher than 18.0.49. This update will address the open redirect issue and enhance the overall security of the system. Regards,
wolstech Posted February 14, 2024 Posted February 14, 2024 Thank you for the information. We are already using a version greater than 18.0.49 on both of our production servers, so it appears this has already been remediated.
HelioHost Posted March 11, 2024 Author Posted March 11, 2024 Hello Team, We reported a vulnerability earlier at HelioHost. Would you like a more in-depth security scanning and Penetration testing of your company to find more vulnerabilities? Let's have a meeting - https://calendly.com/laburity/meeting (you can schedule a call here) *Danish Tariq* Co-Founder, Laburity. Linkedin | danish@laburity.com | +971501941383 <++971501941383> Laburity - Your Cyber Guardians | Laburity @ Linkedin On Wed, Feb 14, 2024 at 7:01?PM HelioHost Support wrote: > Thank you for the information. We are already using a version greater than > 18.0.49 on both of our production servers, so it appears this has already > been remediated. > > You may view the status of your ticket by visiting: > > https://helionet.org/index/index.php?showtopic=59079 > > Thank you, > HelioHost support > https://heliohost.org/ > https://helionet.org/ > >
Krydos Posted March 12, 2024 Posted March 12, 2024 Is your in-depth penetration scanning and security scanning free?
HelioHost Posted March 12, 2024 Author Posted March 12, 2024 Hello Team, No, it incur a minimal charge and we could discuss this over the meeting if you are up for it - let us know about your availability here - https://calendly.com/laburity/meeting *Danish Tariq* Co-Founder, Laburity. Linkedin | danish@laburity.com | +971501941383 <++971501941383> Laburity - Your Cyber Guardians | Laburity @ Linkedin On Tue, Mar 12, 2024 at 7:12?AM HelioHost Support wrote: > Is your in-depth penetration scanning and security scanning free? > > You may view the status of your ticket by visiting: > > https://helionet.org/index/index.php?showtopic=59079 > > Thank you, > HelioHost support > https://heliohost.org/ > https://helionet.org/ > >
Krydos Posted March 12, 2024 Posted March 12, 2024 Since we're a non-profit funded primarily by donations and run by volunteers, we don't have a budget to pay for people who tell us about vulnerabilities in versions of software we haven't used for months. If you're interested in donating your time to help us then we can discuss it, but if you're looking to get paid you'd be better off talking to for-profit companies.
HelioHost Posted March 12, 2024 Author Posted March 12, 2024 Hello Team, Proposal was not for us to get paid on that outdated version thing that we reported but it was proposed for a more in-depth analysis. Nonetheless, thanks for explaining the situation and if something comes up in the future regarding a vulnerability at HelioHost application, we would responsibly an ]d voluntarily share that with you for sure. We are also starting up, let's see where we can find a collaboration possibility. Regards, *Danish Tariq* Co-Founder, Laburity. Linkedin | danish@laburity.com | +971501941383 <++971501941383> Laburity - Your Cyber Guardians | Laburity @ Linkedin On Wed, Mar 13, 2024 at 1:27?AM HelioHost Support wrote: > Since we're a non-profit funded primarily by donations and run by > volunteers, we don't have a budget to pay for people who tell us about > vulnerabilities in versions of software we haven't used for months. If > you're interested in donating your time to help us then we can discuss it, > but if you're looking to get paid you'd be better off talking to for-profit > companies. > > You may view the status of your ticket by visiting: > > https://helionet.org/index/index.php?showtopic=59079 > > Thank you, > HelioHost support > https://heliohost.org/ > https://helionet.org/ > >
Recommended Posts