• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Best Practice for customers with custom handlers

T

Tobias Sorensson

New Pleskian
Server operating system version
Windows Server 2016
Plesk version and microupdate number
18.0.49 Update #2
Hello

we got a new client that wants to override plesks default handlers with its own.
its a very old app that they have according to the new client.
they used it in azure on a vm there.

i dont feel like we should allow it because its a security risk but i would like to hear you guys opinion.

is it safe to disable the override protection? i mean its there for a reason.
we have other users on the same plesk server and we do not want to have one site mess with them/ or cause harm to the other clients website.
 
I'd say it would depend on the custom handler they're trying to use. When you disable the protection then new domains going forward will be able to use web.config to create custom handlers so it should only affect those who are using their own web.config custom stuff but~, you basically opening yourself up for some bad time as well depending on what the application is.

To be honest, if I was in your shoes, I'd probably have a server just for them so they can do whatever they please without fear of their application possibly affecting anyone else, especially older applications that might not even work on Server 2016 without you adding or munking with additional settings (I know, I have a client that can't move some of their web applications from Windows Server 2008 R2 because of how it was built, they basically need to rebuild it which they're slowly doing).
 
Hi scsa20,

Do you consider that it is a risk to allow custom handlers and that we should check the box "Prohibit the ability to override handlers via web.config"?

I was still faced with this issue today... What harm could come from here?
 
Custom handlers alone isn't a bad thing, since all you're doing is mapping extensions to your application to handle the request (for example, having TXT extensions processed as normal HTML or PHP, or using Microsoft's Docs's example: " if a developer created a handler that created RSS-formatted XML, you could bind the .rss file name extension in your application to the custom handler." But what can be a problem is if the application is so old and not updated that it can be exploited, and some web application might be programmed in a way that can't be run on newer OSes for one reason or another.

So, again, this is all a it depends. Generally there is no security risks one way or another allowing users to override handlers through web.config other then the user doing something stupid which breaks the site (such as having PHP and/or HTML process as normal text files), that's about it.
 
You must log in or register to reply here.

Similar threads

F
Question Best Practices for Backing Up (large) Plesk Servers
Replies
4
Views
1K
ChristophRo
ChristophRo
cosmocanuck
Question Disk space mysteriously growing
Replies
6
Views
2K
cosmocanuck
cosmocanuck
S
Question open_basedir and WordPress, general consensus needed, configured or none?
Replies
6
Views
4K
Duarte N
D
DigitalWeb
Issue Need help with some questions I have about Web Hosting Server
Replies
2
Views
2K
gulshan212
gulshan212
hardbrasil
Question web applications requiring custom envoiriments
Replies
3
Views
2K
Dave W
Dave W
Back
Top