• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question Best Practice for customers with custom handlers

T

Tobias Sorensson

New Pleskian
Server operating system version
Windows Server 2016
Plesk version and microupdate number
18.0.49 Update #2
Hello

we got a new client that wants to override plesks default handlers with its own.
its a very old app that they have according to the new client.
they used it in azure on a vm there.

i dont feel like we should allow it because its a security risk but i would like to hear you guys opinion.

is it safe to disable the override protection? i mean its there for a reason.
we have other users on the same plesk server and we do not want to have one site mess with them/ or cause harm to the other clients website.
 
I'd say it would depend on the custom handler they're trying to use. When you disable the protection then new domains going forward will be able to use web.config to create custom handlers so it should only affect those who are using their own web.config custom stuff but~, you basically opening yourself up for some bad time as well depending on what the application is.

To be honest, if I was in your shoes, I'd probably have a server just for them so they can do whatever they please without fear of their application possibly affecting anyone else, especially older applications that might not even work on Server 2016 without you adding or munking with additional settings (I know, I have a client that can't move some of their web applications from Windows Server 2008 R2 because of how it was built, they basically need to rebuild it which they're slowly doing).
 
Hi scsa20,

Do you consider that it is a risk to allow custom handlers and that we should check the box "Prohibit the ability to override handlers via web.config"?

I was still faced with this issue today... What harm could come from here?
 
Custom handlers alone isn't a bad thing, since all you're doing is mapping extensions to your application to handle the request (for example, having TXT extensions processed as normal HTML or PHP, or using Microsoft's Docs's example: " if a developer created a handler that created RSS-formatted XML, you could bind the .rss file name extension in your application to the custom handler." But what can be a problem is if the application is so old and not updated that it can be exploited, and some web application might be programmed in a way that can't be run on newer OSes for one reason or another.

So, again, this is all a it depends. Generally there is no security risks one way or another allowing users to override handlers through web.config other then the user doing something stupid which breaks the site (such as having PHP and/or HTML process as normal text files), that's about it.
 
You must log in or register to reply here.

Similar threads

F
Question Best Practices for Backing Up (large) Plesk Servers
Replies
4
Views
703
ChristophRo
ChristophRo
cosmocanuck
Question Disk space mysteriously growing
Replies
6
Views
1K
cosmocanuck
cosmocanuck
S
Question open_basedir and WordPress, general consensus needed, configured or none?
Replies
6
Views
4K
Duarte N
D
DigitalWeb
Issue Need help with some questions I have about Web Hosting Server
Replies
2
Views
2K
gulshan212
gulshan212
hardbrasil
Question web applications requiring custom envoiriments
Replies
3
Views
2K
Dave W
Dave W
Back
Top