• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx

  • We are developing a new feature in Plesk that will help you promote your websites or business on social media. We want to conduct a one-hour online UX test to present the prototype and collect feedback. If you are interested in the feature, please book a meeting via this link.
    Thank you in advance!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Critical vulnerability in plesk ?, main domain

Bossman

Basic Pleskian
my server hostname is server.example123.com
my main domain is example123.com

i was trying to list content of file via php interpreter at my example123.com domain from file /root/somefile (file is owned by root), this root directory is up up outside vhosts directory, i was shock that i could list whatever i want and execute every command i want !, how this is possible ?

i have php 5.4, ssh access is blocked for user from my example123.com domain
php wich i created is owned by my example123.com hosting account user.
 
Hello,

What is your PHP handler type (Websites & Domains > example123.com > Hosting Settings > run PHP as)?
What is your file permissions of "/root" directory and "/root/somefile" file (output of `ls -ld /root /root/somefile`)?
 
Yes, it is apache2handler.
This matter is being take care of via Plesk support i will let you know how it goes.
But if you have any briliant idea which i could do let me know :)
 
Yes, it is apache2handler.
So, you use "Apache module" handler type. The documentation says:
It is the least secure option as all PHP scripts are executed on behalf of the apache user.
I advice to switch to "PHP-FPM application" handler type.

However, PHP scripts should be executed with apache, not root rights. I hope your apache web server doesn't run as root. Output of `system("id");` which you hasn't shared could confirm or deny this.

Anyway, I hope Plesk support will help you.
 
Yes system command does not work, i think it can be blocked via ASL. I don't want to mess around a lot till support will give me some info. I olso hope that apache is not run as root :). Thanks about info on handler security.
 
Back
Top