Plesk Obsidian Password Validation Vulnerability Allowing Unauthorized Admin Login

A vulnerability in Plesk Obsidian version 18.0.70 has been identified in the password validation process for admin login. The issue arises because the validation function uses an equality comparison that can be manipulated. If the actual password is '0e' followed by any digits, an attacker can log in using any string that evaluates to '0.0', such as '0e0'. This vulnerability is located in 'admin/plib/LoginManager.php'.

Impact

Exploitation of this vulnerability allows an unauthenticated attacker to log in as an admin, potentially leading to full server compromise, especially if the admin password is set to a specific format that can be exploited. Additionally, this vulnerability could be used to conduct more effective brute-force attacks on the admin password, utilizing timing and type confusion attacks.

Remediation

Users can upgrade to Plesk Obsidian versions 18.0.71 Update 2 or 18.0.70 Update 4 to address this vulnerability. If an upgrade is not possible, changing the admin password to a value that does not include '0e' followed by digits is recommended.