Directory /statistics: permission denied after update 11.0.9 #55

[ManuG2k]

Hello,
after update 11.0.9 #55, the directory statistics on my all subrscriptions is not accessible.
From File Manager (with administrator Plesk Panel user) I receive this error:

Error: Unable to change directory to //statistics: filemng: opendir failed: Permission denied
System error 13: Permission denied

With FTP, I receive this error:

Command: CWD statistics
Response: 550 statistics: No such file or directory
Error: Failed to retrieve directory listing


Before update #55 (installed tonight) working properly.

Can you help me ?

 

[Azurel]

You mean "Websites & Domains" > "Web statistics"?

I get here with version 11.0.9#55 a white blank page, nothing is loading.

 

[ManuG2k]

I receive a error from "Home -> Subscription -> mydomainname -> Websites & Domains -> File Manager", after I click to statistics folder.
The statistics folder is inaccessible from FTP account.
From server (SSH) folder exists and I can enter to logs subfolder.

 

[Azurel]

Confirmed. Here the same:

Error: Unable to change directory to //statistics: filemng: opendir failed: Permission denied
System error 13: Permission denied

 

[Joooop]

same version, same error

 

[TairkH]

Same error on plesk 11.0.9 MU#55

 

[Faris Raouf]

Plesk 10.4.4 also seems affected (under Centos 6, at least) by this issue (#MU52 in that version's case)


Either way, not being able to access the statistics directory implies there might be an ownership of permissions issue.

Indeed, if you look at the statistics directory AFTER MU55, you'll see this:

r-x r-x --- (i.e. 550) root.psaserv


Before MU55, you would see this:
r-x r-x --- (i.e. 550) [FTP-USER].psaserv

And that's the problem - the directory is now owned by root instead of the Panel login/FTP user, and therefore you can't access it.

The solution, if required, is therefore just to change the ownership back to FTP user. But before anybody rushes to do so, we need to make sure this change was not deliberate (i.e. a security enhancement).

**** NOTE: Please can someone else confirm what I'm seeing - do not jump to conclusions. I only have one system without MU55 to look at, too many windows open on my screen, and not enough 11.09 systems to double-check, so I could easily have made an error in my post.

 

[ManuG2k]

Yes Faris, same problem on my server's :\
I have 200 websites, it is impossible for me to change the permissions of a site by site :\

 

[IgorG]

I have reproduced it on fresh 11.0.9 MU#55 installation and submitted report #1676286 to developers.

 

[IgorG]

User permissions were restricted due to security issue. That's why users can't access logs via FTP or FileManager.
Most probably the issue will not be fixed because of security is very strong reason to keep such restriction. As possible workaround you can use "Logs" feature:

 

[Azurel]

Is this security issue only for 11.0.9 or 11.5 too? You can say what is the reason for this?

 

[IgorG]

Is this security issue only for 11.0.9 or 11.5 too? You can say what is the reason for this?

It is actual only for 10.4.4 and 11.0.9

 

[ManuG2k]

I have over 100 websites on a server plesk 11.0.9, to which I connect via FTP with SmarterStats, for read website statistics on /statistics/logs folder.
For me it is now a serious problem.
How can I fix ?
How do I reset the permissions on the folder statistics ?

 

[IgorG]

I have over 100 websites on a server plesk 11.0.9, to which I connect via FTP with SmarterStats, for read website statistics on /statistics/logs folder.
For me it is now a serious problem.
How can I fix ?
How do I reset the permissions on the folder statistics ?

If a security issue does not bother you, you can solve the problem with the command:

# chmod -R 755 /var/www/vhosts/*/statistics/

But I strongly do not recommend it.

 

[LinqLOL]

@Igor why are these important changes not communicated? The only thing the changelog is telling:

Fixed moderate security issue with leak of sensitive information. The issue can be exploited by authenticated users only. Authenticated users are users that have logins to Parallels Plesk Panel (such as your customers, resellers, or your employees). This MU is strongly recommended for all Parallels Plesk Panel users.

. Not telling that the /statistics map is now restricted.

Please also think from our stand of view ;-)

 

[IgorG]

Sorry but Plesk vulnerability issues can't be widely discussed for security reasons.

 

[LinqLOL]

@igorG Sorry but security by obscurity does not work. Anyways I did not asked for the full details. I just would like to know that after the security fix log files are not available anymore for customers by ftp. Now our helpdesk desks get a lot of questions about this and we didn't know of it.

 

[JeffreyZ]

I was late in my upgrade and am just now finding out about this /statistics issue. I've got about 70 log files I run every month, automatically, by downloading the file via FTP. Can anyone suggest a work around? Perhaps a web stats program that runs on the server? Any other -- secure -- way to download the log file without having to go though the control panel?

 

[Azurel]

Its possible for you to upgrade to 11.5.x? In plesk 11.5 its working fine.

 

[JeffreyZ]

Azurel, thanks for the fast Reply! I'm running 11.5.30.

Do you mean FTP to the stats folder is working fine? When I upgraded the folder became unavailable on my client's sites. I was looking for a way to change all clients stats folders permissions when I came across this thread saying there was a security issue with FTP to the stats folder. And that it was not recommended to change the file permissions -- although it could be done.

Its possible for you to upgrade to 11.5.x? In plesk 11.5 its working fine.