1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

BIG security flaw in php under plesk7.5.4

Discussion in 'Plesk for Windows - 8.x and Older' started by larsm, Nov 30, 2005.

  1. larsm

    larsm Guest

    we have been testing plesk for awhile now
    we have bought plesk 7.5.4 and installed all the patches and are running it with
    mail enable enterprise
    on a win 2003 std.

    we then had a user who we gave a account(domain user)

    he then installed an cms system (php)
    called pMachinePro2.4 on his webhotel/webspace

    after installation he went into his website (cms backend) as an cms admin an clicked on file manager button and got instant access to the hole drive incl all other domains db's and the psa db with all plesk passes and so forth THIS MY FRIENDS IS A serious security breech how do i solve this !!!! ???

    i am quite chocked !!:confused: :confused:
  2. larsm

    larsm Guest

    temporary solution

    it seems that a temp solution is to enable the isapi for php files for that site but still there is a problem isapi just close the gap a little bit

    what is needed here is a solution that will work serverside not only for the one and im shure that when we get further down in this there are moore nasty things in the bag that should be corrcted

    this one is a serious one
    but besdes that all in all i like the panel just needs a big makeover it seems !