Recent content by AndreyZ

Oh, this should be fixed in Plesk 18.0.20. It has been released today. Could you try again? The output should be `true`, not `1`.

Could you check the output of the following command? plesk bin server_pref --show | grep ssl-cipher-server-order By default it should be: ssl-cipher-server-order: true If it is `false`, then probably you ran `plesk sbin pci_compliance_resolver --enable` previously. Anyway, this is...

Hello, For security reason (isolation by using different system users) each website (domain with website hosting) should be in it's own webspace/subscription until two websites need to share some local files.

Hello, Thank you for the message! To investigate this issue much more information may be needed. Especially logs related to the time of malicious file creation, versions of software installed. Could you contact Plesk support?

OpenSSL writes this message when cannot write default seeding file: https://www.openssl.org/docs/faq.html#USER2 You can ignore it, because openssl does not need to use default seeding file on Linux, because /dev/urandom is available. So, this is small bug in OpenSSL. We will document and maybe...

There are actually two problems which people mean by "Logjam": 1. Logjam attack against the TLS protocol. It can be prevented by disabling export cipher suites. They are disabled by default in OpenSSL. Neither Plesk nor default configurations of services managed by Plesk enable export cipher...

Actually, SecureLinks (specifically, Symlink Owner Match Protection - that is what we need) works out of the box in CloudLinux 6. Unfortunately, Symlink Owner Match Protection does not work in CloudLinux 7 now. ID of this bug is CLKRN-57. Bug ID will be into kernel release note (follow...

PHPSESSID is always set as so called "Session cookie", i.e. there is no expiration date assigned to it: Set-Cookie: PHPSESSID=e17d5942de2140ae71d0cdfa827e3c41; path=/; secure; httponly This behaviour does not change in Plesk 12.5. User agent "sessions" are mentioned in RFC 6265: But this...

Yes, this is already done in Plesk 17.0. I hope this will be backported to Plesk 12.5 soon. Thank you. "disable_symlinks if_not_owner" is in effect (and is required for security) only when Serve static files directly by nginx is switched on. Otherwise Apache serves static files using...

Perl scripts served by apaches's `mod_perl` are executed with apache's rights, so yes, this is insecure in shared hosting environment: it is possible to read/write files accessible to apache system user. Perl support should be switched off in shared hosting environment. However CGI applications...

Hello, Sorry for the delay. This is known issue. It was addressed in Plesk 12.0: the option Restrict the ability to follow symbolic links was introduced. But this option is switched off by default, because it breaks some applications. (At that moment some widely used applications, e.g. Drupal...

Hello, Could you give the output of the following commands to find out a cause of the problem? rpm -qf `which nginx` nginx -V rpm -qf /usr/lib64/httpd/modules/mod_ssl.so strings /usr/lib64/httpd/modules/mod_ssl.so | grep 'OpenSSL [0-9]' --max-count=1

I guess Plesk for Windows 12.5, maybe 12.0 will be updated. I do not think Plesk 11.5 will be updated, because this issue is not critical (there are workarounds). Plesk 11 is now in “Extended Support” phase that means that it continue to receive patches only for critical issues...

Apache (search CVE-2016-5387) is already fixed by all Linux OS vendors: https://access.redhat.com/errata/RHSA-2016:1422 https://access.redhat.com/errata/RHSA-2016:1421 https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5387.html...

Hello, This is very interesting question. I would love to find such resource too =). I would be glad if you would continue to share you experience. Windows Live Mail, as well as Outlook, uses Schannel as SSL/TLS backend, so the reconfiguration from the link above should help (I have tested this...