Back to list

Information Disclosure via X-Powered-By-Plesk Header

Description

The 'X-Powered-By-Plesk' header discloses that the server is managed by the Plesk control panel. By revealing this detail, attackers gain insight into the hosting environment or control panel in use, potentially uncovering known vulnerabilities, outdated modules, or default Plesk configurations. In some instances, malicious actors can specifically target weak spots within the Plesk ecosystem, such as unpatched extensions or default credentials. Ultimately, publicizing the usage of Plesk increases the attack surface by enabling adversaries to focus on any Plesk-specific flaws or recommended exploits, possibly leading to unauthorized access or disruption of hosted services.

Remediation

Remove or mask the 'X-Powered-By-Plesk' header so external requests do not discover that you are using Plesk. Configure your Plesk settings or underlying web server (e.g., Apache, Nginx) to strip or rewrite technology-identifying headers. Keep Plesk updated with the latest security patches and regularly review installed extensions for vulnerabilities or default credentials. If you use a reverse proxy, CDN, or load balancer, ensure it does not re-inject this header into responses. Consider employing a Web Application Firewall (WAF) or intrusion detection system to detect and block malicious traffic attempting Plesk-based exploits. Periodic security audits help confirm that sensitive environment details are not inadvertently disclosed.

References

https://docs.plesk.com/https://owasp.org/www-community/attacks/Information_exposure

Severity

MEDIUM

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification

CWE-200
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3

CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3

Cookie Preferences

We use cookies to enhance your browsing experience and analyze our traffic.

Read ourPrivacy Policyfor more information