0
0trnet
Guest
First of all Plesk 6.5 for Windows is a great program. Congratulations to SWsoft
We have been doing web hosting on the windows platform in the past 5 years. We're using our own control panel program but plesk is a nearly perfect program for windows hosting. But,
There's a File System Object Security bug that must be fixed! Any domain user can display ASP/PHP codes, delete files, write anything to another domains directory. It can be done by any ASP utility using File.SystemObject used by windows 2000 or 2003 server. That means any hosting is under danger of being hacked by another user of this system. It can be fixed easy.
Plesk creates a user for every domain with the ftp username and password at the system level of Windows server. This user gives security permissions to directories of this user as plesk uses Microsoft FTP for clients to log in. At that point everything is fine.
But all the web sites that are running on the Microsoft IIS uses the same username to be viewed on internet for anonymous access. This user name is like IUSR_COMPUTERNAME. It can be viwed at the webs (xx.com nonssl properties directory security anonymous access username) So you can write an ASP code that edits/deletes/views or creates with the SCCRUN.DLL File.Script object
This security hole can be fixed easy, as plesk already inserts privileges for the ftp user to the directories of this hosting. Only iis entries anonymous user must be set to the ftp user. After than everything will be fine.
Happy working.
We have been doing web hosting on the windows platform in the past 5 years. We're using our own control panel program but plesk is a nearly perfect program for windows hosting. But,
There's a File System Object Security bug that must be fixed! Any domain user can display ASP/PHP codes, delete files, write anything to another domains directory. It can be done by any ASP utility using File.SystemObject used by windows 2000 or 2003 server. That means any hosting is under danger of being hacked by another user of this system. It can be fixed easy.
Plesk creates a user for every domain with the ftp username and password at the system level of Windows server. This user gives security permissions to directories of this user as plesk uses Microsoft FTP for clients to log in. At that point everything is fine.
But all the web sites that are running on the Microsoft IIS uses the same username to be viewed on internet for anonymous access. This user name is like IUSR_COMPUTERNAME. It can be viwed at the webs (xx.com nonssl properties directory security anonymous access username) So you can write an ASP code that edits/deletes/views or creates with the SCCRUN.DLL File.Script object
This security hole can be fixed easy, as plesk already inserts privileges for the ftp user to the directories of this hosting. Only iis entries anonymous user must be set to the ftp user. After than everything will be fine.
Happy working.