1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

File System Object Security in PSA Win 6.5

Discussion in 'Plesk for Windows - 8.x and Older' started by 0trnet, Dec 26, 2003.

  1. 0trnet

    0trnet Guest

    First of all Plesk 6.5 for Windows is a great program. Congratulations to SWsoft

    We have been doing web hosting on the windows platform in the past 5 years. We're using our own control panel program but plesk is a nearly perfect program for windows hosting. But,

    There's a File System Object Security bug that must be fixed! Any domain user can display ASP/PHP codes, delete files, write anything to another domains directory. It can be done by any ASP utility using File.SystemObject used by windows 2000 or 2003 server. That means any hosting is under danger of being hacked by another user of this system. It can be fixed easy.

    Plesk creates a user for every domain with the ftp username and password at the system level of Windows server. This user gives security permissions to directories of this user as plesk uses Microsoft FTP for clients to log in. At that point everything is fine.

    But all the web sites that are running on the Microsoft IIS uses the same username to be viewed on internet for anonymous access. This user name is like IUSR_COMPUTERNAME. It can be viwed at the webs (xx.com nonssl properties directory security anonymous access username) So you can write an ASP code that edits/deletes/views or creates with the SCCRUN.DLL File.Script object

    This security hole can be fixed easy, as plesk already inserts privileges for the ftp user to the directories of this hosting. Only iis entries anonymous user must be set to the ftp user. After than everything will be fine.

    Happy working.
  2. sieb@

    sieb@ Guest

    Hmm.. I don't see how this is possible since the ICUSR only has read access to directories and authentication is done with Windows using the real user accounts PSA creates. The ICUSR as anonymous is a windows default, not something set by Plesk. From what I am reading, the problem you describe is a windows problem, not plesk.
  3. 0trnet

    0trnet Guest

    Of course it is a windows security bug but windows is not a hosting program just an operating system, plesk is..
  4. siren@

    siren@ Guest

    Plesk may be a hosting system, but Windows is the operating system. This is a bug that needs to be corrected via Microsoft because of the nature of it.

    Plesk may be able to provide a patch for this, but it will not solve the problem at the core, and that is where it needs solved.

    Larry Stevens
    DDI Hosting
  5. 0trnet

    0trnet Guest



    We've solved the problem. Some PHP codes had to be rewritten.. May plesk recognize this situation and release a patch..

    Anyone serious about the situation before being hacked or before plesk patched, just e-mail me. We're not using plesk but solved the problem.