Bug with Plesk 10.4.4 with Subdomains, when Ip was changed

[mooiesite]

parallels? any update?

 

[IgorG]

The issue isn't reproducing on Plesk 11.0.9 with the steps provided:

+----+--------+----------------------------+------+---------------+----------------+------+
| id | dom_id | name | type | ip_address | ipCollectionId | id |
+----+--------+----------------------------+------+---------------+----------------+------+
| 1 | 1 | a10-52-148-208.qa.plesk.ru | mail | 10.52.148.208 | 1 | 1 |
| 2 | 1 | a10-52-148-208.qa.plesk.ru | web | 10.52.148.208 | 2 | 1 |
| 3 | 2 | ipmanage.tld | mail | 10.57.52.112 | 3 | 3 |
| 4 | 2 | ipmanage.tld | web | 10.57.52.112 | 4 | 3 |
| 5 | 3 | additional.tld | mail | 10.57.52.112 | 5 | 3 |
| 6 | 3 | additional.tld | web | 10.57.52.112 | 6 | 3 |
| 7 | 4 | std.fwd | mail | 10.57.52.112 | 7 | 3 |
| 8 | 4 | std.fwd | web | 10.57.52.112 | 8 | 3 |
| 9 | 5 | frm.fwd | mail | 10.57.52.112 | 9 | 3 |
| 10 | 5 | frm.fwd | web | 10.57.52.112 | 10 | 3 |
| 11 | 6 | none.tld | mail | 10.57.52.112 | 11 | 3 |
| 12 | 7 | sub.ipmanage.tld | mail | 10.57.52.112 | 12 | 3 |
| 13 | 7 | sub.ipmanage.tld | web | 10.57.52.112 | 13 | 3 |
| 14 | 8 | sub-ad.additional.tld | mail | 10.57.52.112 | 14 | 3 |
| 15 | 8 | sub-ad.additional.tld | web | 10.57.52.112 | 15 | 3 |
+----+--------+----------------------------+------+---------------+----------------+------+

# /usr/local/psa/bin/subscription -u ipmanage.tld -ip 10.57.52.113

mysql> select ds.id, ds.dom_id, d.name, ds.type, ip.ip_address, ic.ipCollectionId, ip.id from DomainServices ds left join domains d on ds.dom_id=d.id left join IpAddressesCollections ic on ds.ipCollectionId=ic.ipCollectionId left join IP_Addresses ip on ip.id = ic.ipAddressId;
+----+--------+----------------------------+------+---------------+----------------+------+
| id | dom_id | name | type | ip_address | ipCollectionId | id |
+----+--------+----------------------------+------+---------------+----------------+------+
| 1 | 1 | a10-52-148-208.qa.plesk.ru | mail | 10.52.148.208 | 1 | 1 |
| 2 | 1 | a10-52-148-208.qa.plesk.ru | web | 10.52.148.208 | 2 | 1 |
| 3 | 2 | ipmanage.tld | mail | 10.57.52.113 | 3 | 4 |
| 4 | 2 | ipmanage.tld | web | 10.57.52.113 | 4 | 4 |
| 5 | 3 | additional.tld | mail | 10.57.52.113 | 5 | 4 |
| 6 | 3 | additional.tld | web | 10.57.52.113 | 6 | 4 |
| 7 | 4 | std.fwd | mail | 10.57.52.113 | 7 | 4 |
| 8 | 4 | std.fwd | web | 10.57.52.113 | 8 | 4 |
| 9 | 5 | frm.fwd | mail | 10.57.52.113 | 9 | 4 |
| 10 | 5 | frm.fwd | web | 10.57.52.113 | 10 | 4 |
| 11 | 6 | none.tld | mail | 10.57.52.113 | 11 | 4 |
| 12 | 7 | sub.ipmanage.tld | mail | 10.57.52.113 | 12 | 4 |
| 13 | 7 | sub.ipmanage.tld | web | 10.57.52.113 | 13 | 4 |
| 14 | 8 | sub-ad.additional.tld | mail | 10.57.52.113 | 14 | 4 |
| 15 | 8 | sub-ad.additional.tld | web | 10.57.52.113 | 15 | 4 |
+----+--------+----------------------------+------+---------------+----------------+------+

So, as I wrote before - upgrade your Plesk to 11.0.9 version.

BTW in case of Amazon or some another environment with changing IP addresses on the same interface it is better to configure Plesk to remap IPs automatically:

# /usr/local/psa/bin/ipmanage --auto-remap-ip-addresses true

---
--auto-remap-ip-addresses <true|false>
Defines whether to perform the
automatic mapping of IP addresses on
Panel startup. Use the option in cases
when the registered IP addresses are
changed (for example, cloning of the
Panel VPS).

 

[HostaHost]

So, as I wrote before - upgrade your Plesk to 11.0.9 version.

You have to be kidding.

Are you saying version 10 is not supported at this point? Are you going to come upgrade the billing system for us since it has to be on 11 before the panels can be? Do you realize every time the billing system is upgraded it breaks horribly and we have to open numerous tickets that we wait weeks to get resolved? Do you realize that people with a large number of servers don't want to upgrade them all every time there's a stupid bug? I thought that was the point of the microupdates system? Or is that just to close security holes that you never tell us about until after people start getting compromised?

I doubt you care, Parallels' response to any bug is upgrade to the next version with no consideration whatsoever given to the customers using their products and how it may impact them.

 

[sergius]

Updating to Plesk 11 is the Best Practice.

Are you saying version 10 is not supported at this point?

Plesk 10.4 is still supported. However, only most critical issues which impact a lot of customers are back ported from Plesk 11.0. This issue is not recognized as most critical. Sorry.

Are you going to come upgrade the billing system for us since it has to be on 11 before the panels can be?

You should be aware of the Free Assistance for Parallels Plesk Panel 11 Installation/Upgrade and Transfer/Migration Issues.
You can come and get free support if you're faced problems with moving to the latest version. We care.

Do you realize every time the billing system is upgraded it breaks horribly and we have to open numerous tickets that we wait weeks to get resolved?

That is really pity. However, staying on older Plesk version is not a solution. Sooner or later you will have to go ahead and, you know, it will be much more difficult to step over several versions than moving to the next.
You should be aware of the Technology Adoption Program.
You can come and get free assistance for adapting upcoming Plesk for your environment. We care.

Do you realize that people with a large number of servers don't want to upgrade them all every time there's a stupid bug?

Lately we are working with service providers who are moving hundreds servers per week from older Plesks to the latest.
You can do the same with our assistance. You just should want it. We care.

I thought that was the point of the microupdates system?

Yes, it was and it is. However, not every bugfix can be delivered with Micro-Update, unfortunately. We are improving the technology but its abilities are not unlimited. We care.

Or is that just to close security holes that you never tell us about until after people start getting compromised?

I guess you mean Remote vulnerability in Plesk Panel (CVE-2012-1557). You are incorrect a bit. We have fixed the issue and informed customers as soon as the issue had been discovered. Please take a look at the 8.6 MU#2, 9.5 MU#11 and 10.3 MU#6.
However, unfortunately, our customers have ignored the information and thought better of it when start getting compromised. We care.

I doubt you care, Parallels' response to any bug is upgrade to the next version with no consideration whatsoever given to the customers using their products and how it may impact them.

You have to be kidding.

 

[HostaHost]

Plesk 10.4 is still supported. However, only most critical issues which impact a lot of customers are back ported from Plesk 11.0. This issue is not recognized as most critical. Sorry.

You realize this was reported long before version 11 was out correct? You have known about this bug for at least seven months, chose to ignore fixing it and now just tell people to upgrade. And that is the way it goes with quite a few issues; ignore, force upgrade, ignore, force upgrade. This is not a new thing for Parallels, I have been using Plesk for seven years, so I have plenty of experience with this process.

That is really pity. However, staying on older Plesk version is not a solution. Sooner or later you will have to go ahead and, you know, it will be much more difficult to step over several versions than moving to the next.
You should be aware of the Technology Adoption Program.
You can come and get free assistance for adapting upcoming Plesk for your environment. We care.

So you're saying it's better to subject customers to small doses of pain frequently? Upgrading the Plesk version gets customers very angry because they don't like having to find where something got moved to or figuring out why something that used to work doesn't (example, removing domain administrators, and the replacement in Plesk 10 is either a security issue or doesn't work [we have tickets on both]).

Lately we are working with service providers who are moving hundreds servers per week from older Plesks to the latest.
You can do the same with our assistance. You just should want it. We care.

Please provide me references, either on here or private, I would like to talk to some other customers who have found a way to upgrade "hundreds of servers per week." Additionally, I'm going to guess they are not running the billing system. And on top of that, I guess they are doing the updates at times your servers haven't exceeded their daily traffic limits because we routinely upgrade a server only to get 10.4.4 installed and then find out the micro updates servers are down, leaving us with an unpatched server that we have to retry over and over waiting to get the patches.

http://forum.parallels.com/showthread.php?t=261206

Never got an official Parallels response in that thread, just a forum member telling me to pull patches from some unknown IP address.

I guess you mean Remote vulnerability in Plesk Panel (CVE-2012-1557). You are incorrect a bit. We have fixed the issue and informed customers as soon as the issue had been discovered. Please take a look at the 8.6 MU#2, 9.5 MU#11 and 10.3 MU#6.
However, unfortunately, our customers have ignored the information and thought better of it when start getting compromised. We care.

Regarding how you "informed customers as soon as the issue had been discovered" that is a complete lie. You certainly did not notify customers as soon as the issue had been disocvered; that would imply that you sent out a notice prior to a fix being released. No, you did not. You did not send anything at all out before you knew about the issue and had created a patch; i.e. you let customers' remain vulnerable while working on a patch. And then calling what was sent a notification of a security issue would be stretching it quite a bit.

The date of the CVE you quoted is March 2012. Your own official article http://kb.parallels.com/en/113321 is from February 2012. Your 'notification' to customers consisted of the following hidden deep within the release notes of 9.5.4 MU #11:

Parallels Plesk Panel 9.5.4 MU #11 [02-Sep-2011]
[-] SQL injection vulnerability fixed.

That's it, the above is what you sent out AFTER you had already known about the issue and released a fix. Are you telling me you feel that two lines of text buried within the release notes of a micro update is what Parallels feels is adequate notification of a remote root exploit?

The real notice came out five months later. Oh yeah, and it used some random third party service to send the emails, which likely means spam filters killed a good portion of the messages you sent; here's a thread on that:

http://forum.parallels.com/showthread.php?t=257240

You'll notice my question in July on how to test and confirm micro update application has been ignored.

I'll summarize this series of events for you. Parallels somehow came to know about a remotely exploitable vulnerability in a portion of the panel that most customers probably never use; in summer of 2011. At that point in time, you never sent an email to customers stating "Dear customer, you should immediately block access to, remove or otherwise render admin/plib/api-rpc/Agent.php inaccessible by untrusted requests because there is a SQL injection vulnerability in it that can be remotely exploited." If you had done so, users of your products could have prevented issues even before you had a patch. After not sending any notification, you created a patch. You did the absolutely bare minimum notification to cover yourselves by including two lines of text in the release notes of a micro update with no mention of whether it was remotely exploitable, what it affected, what could be accomplished by exploiting it, etc. You then let the issue sit for five months and finally put an official true notification out once your own customers began to be exploited.

 

[HostaHost]

For everyone running into the issue this thread is about, here is the information you'll need to fix it.

Run these against the psa database, i.e.:

mysql -u admin --password=`cat /etc/psa/.psa.shadow` psa

First one (replace DOMAIN.COM with the primary domain in question):

select ipAddressId from IpAddressesCollections where ipCollectionID=(select ipCollectionID from DomainServices where type="web" and dom_id=(select id from domains where name="DOMAIN.COM"));

Second one (replace SUB.DOMAIN.COM with the sub-domain in question):

select ipCollectionID from DomainServices where dom_id=(select id from domains where name="SUB.DOMAIN.COM");

Third, take the results from the above two, one at a time, and put the numbers in where noted:

update IpAddressesCollections set ipAddressId='1st RESULT' where ipCollectionId='2nd RESULT';

Just run that second query more than once if you have more than one result for the second part.

 

[rosskendall]

@Hostasaurus.Com thank you very much for sharing your tip on updating the database, did the trick for me.

 

[HostaHost]

However, unfortunately, our customers have ignored the information and thought better of it when start getting compromised. We care.



You have to be kidding.

Seems appropriate to bring this post up again since there are new security holes with no notification from Parallels.

Apparently a few days ago new microupdates were released for "major" security issues in Plesk 9 and 10:

v9: http://kb.parallels.com/114891
v10: http://download1.parallels.com/Ples...el-10-linux-updates-release-notes.html#104444

The version 10 page indicates an update last month was also for "major" security issues. In the case of all three of these updates, no notification was sent to the customers. I'm signed up for every possible manner of notifications with Parallels; i.e. the forum, where no post has been made about this, I've signed up two different addresses at http://www.parallels.com/mailinglists/subscribe/ where you've told customers to sign up for security bulletins, I have a third address on file for billing (which seems to work great for receiving your invoices), yet nothing was sent there other than the bill.

Last time I got a security related email was March. Based on the release notes for 10, it looks like I should have received an email in March, April, May, a second time in May, a third time in May, July, September and October since each of those was for a security update. So for the past eight months, you've sent a notice for one out of eight security issues.

What can a customer possibly do to get you to actually send us security notices at the time an issue is detected and again when a fix has been released? Even though it's inexcusable how poor security issues are handled, at least most users of 10 probably have microupdates turned on for automated install, however, version 9 has no such capability, so those of us who still have version 9 servers sitting around for a variety of reasons are sitting vulnerable oblivious to the fact that there's a critical fix that should be applied.

 

[IgorG]

Seems appropriate to bring this post up again since there are new security holes with no notification from Parallels.

Apparently a few days ago new microupdates were released for "major" security issues in Plesk 9 and 10:

v9: http://kb.parallels.com/114891
v10: http://download1.parallels.com/Ples...el-10-linux-updates-release-notes.html#104444

The version 10 page indicates an update last month was also for "major" security issues. In the case of all three of these updates, no notification was sent to the customers. I'm signed up for every possible manner of notifications with Parallels; i.e. the forum, where no post has been made about this, I've signed up two different addresses at http://www.parallels.com/mailinglists/subscribe/ where you've told customers to sign up for security bulletins, I have a third address on file for billing (which seems to work great for receiving your invoices), yet nothing was sent there other than the bill.

Last time I got a security related email was March. Based on the release notes for 10, it looks like I should have received an email in March, April, May, a second time in May, a third time in May, July, September and October since each of those was for a security update. So for the past eight months, you've sent a notice for one out of eight security issues.

What can a customer possibly do to get you to actually send us security notices at the time an issue is detected and again when a fix has been released? Even though it's inexcusable how poor security issues are handled, at least most users of 10 probably have microupdates turned on for automated install, however, version 9 has no such capability, so those of us who still have version 9 servers sitting around for a variety of reasons are sitting vulnerable oblivious to the fact that there's a critical fix that should be applied.

http://forum.parallels.com/showpost.php?p=642376&postcount=2

 

[HostaHost]

http://forum.parallels.com/showpost.php?p=642376&postcount=2

I'm not clear on how a reply to someone's post in the Plesk 11 forum telling them everything is great and they don't need to worry about being told about updates relates to Plesk 9 (which can't be automated) and 10? Are you that confident in your automated microupdate system that administrators should not even know when security patches are released, that we should never be told in advance, that we should not apply the updates immediately but rather wait and hope the panel does the install later that evening, hope that a server doesn't get hacked between when the vulnerability is known and when the update occurs, that the updates server will never be down (which it is regularly if it exceeds the daily bandwidth apparently) and that we should never be given the information required to determine if the updates have actually been applied?

I asked several months ago how we can determine that updates have really been applied, not what the xml file says, that was ignored as well. So I guess we're just supposed to hope it all works until the time that it doesn't.

 

[lo_ai]

Hi Hostasaurus.Com,
I have tried your solution, and it is correct, using it managed to solve my plesk 10.4.4 related issue, thank you for your time and knowledge.
Regards.