Issue Critical vulnerability in plesk ?, main domain

[Bossman]

my server hostname is server.example123.com
my main domain is example123.com

i was trying to list content of file via php interpreter at my example123.com domain from file /root/somefile (file is owned by root), this root directory is up up outside vhosts directory, i was shock that i could list whatever i want and execute every command i want !, how this is possible ?

i have php 5.4, ssh access is blocked for user from my example123.com domain
php wich i created is owned by my example123.com hosting account user.

 

[AndreyZ]

Hello,

What is your PHP handler type (Websites & Domains > example123.com > Hosting Settings > run PHP as)?
What is your file permissions of "/root" directory and "/root/somefile" file (output of `ls -ld /root /root/somefile`)?

 

[Bossman]

Handler PHP 5.4
Output is dr-xr-x--- 16 root root

 

[AndreyZ]

PHP handler type is one of the following: http://docs.plesk.com/en-US/12.5/ad...sting/php-management/php-handler-types.75145/
Could you see your PHP handler type?

Also could you run the following PHP script (from a browser) and tell me the output? It prints actual PHP handler type (Server API) and system user which PHP is executed on behalf of.

<?php
echo php_sapi_name(), "<br/>\n";
system("id");
?>

 

[Bossman]

Yes, it is apache2handler.
This matter is being take care of via Plesk support i will let you know how it goes.
But if you have any briliant idea which i could do let me know

 

[IgorG]

This matter is being take care of via Plesk support i will let you know how it goes.

Could you please tell ticket id? We will check processing.
Thanks.

 

[Bossman]

Sure, can i post it in front of anyone ?, will only you be able to access it ?

 

[IgorG]

will only you be able to access it ?

Yes, only Plesk staff.

 

[Bossman]

2058019

 

[AndreyZ]

Yes, it is apache2handler.

So, you use "Apache module" handler type. The documentation says:

It is the least secure option as all PHP scripts are executed on behalf of the apache user.

I advice to switch to "PHP-FPM application" handler type.

However, PHP scripts should be executed with apache, not root rights. I hope your apache web server doesn't run as root. Output of `system("id");` which you hasn't shared could confirm or deny this.

Anyway, I hope Plesk support will help you.

 

[Bossman]

Yes system command does not work, i think it can be blocked via ASL. I don't want to mess around a lot till support will give me some info. I olso hope that apache is not run as root . Thanks about info on handler security.

 

[IgorG]

JFYI, we have released new Plesk Security Advisor extension - https://www.plesk.com/2016/07/13/plesk-security-advisor-extension/