CVE-2023–24044

Description: A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a HTTP “Host” request header.

Vulnerability: Host Header Injection

Product: Plesk Obsidian

Version: 18.0.49 and below

Tools:

1. Burp Suite
2. Mozilla Firefox (as a browser)

Scenario: Attacker could redirect users login page to malicious login page by inject a payload directly into the “Host: ” HTTP request header.

Steps:

1. Access the target website (which Plesk installed) without URL path. In this case -> https://localhost:8443/.

2. Intercept “https://localhost:8443/login.php” request and Modify the “Host: ” HTTP request header value to malicious website. In this case -> attacker.com and then forward the edited request.

3. The target website will redirect to “https://attacker.com/login_up.php” instead of “https://localhost:8443/login.php”.

PoC:

1. Provided screenshot below

2. Video attached