hacking with php shell

[Christian Roehl]

I have not found any thread or comment to that point. Do you made exeriences with php shell (http://phpshell.sourceforge.net/) already? Once php shell is installed on your plesk server you are able to execute shell commands, *delete files* or have control about all files/folder of other customers.

All you need is an existing account on your plesk server and users which disabled safe mode in order to install apps like joomla or wordpress.

 

[danliker]

i can not confirm that, how have you tested it ?

 

[Christian Roehl]

i will provide access, but not official on that forum. Are you able to contact me directly?

 

[IgorG]

Guys,

Could you please post results of your investigation with all necessary details how it can be reproduced?

 

[danliker]

i can not reproduce it on our servers ...

open_basedir prevent the access to other costumers ...

 

[Christian Roehl]

All infos are there. Choose one existing user on your plesk machine, deactivate for user that user safe mode (that happens in case of customer is installing e.g. joomla). Install php shell (http://phpshell.sourceforge.net/) (http://prdownloads.sourceforge.net/phpshell/phpshell-2.1.zip?download) and configure and execute that script. After you logged in on http://www.yourdomain.tld/phpshell.php, you have the control decsribed above.

 

[Christian Roehl]

if you want I will prepare a test machine for you, potentially thats easier. Please keep me informed.

 

[Christian Roehl]

@danliker: lenny is running fine. So i should limit the issue to CentOS 5.4. PHP 5.1.6

 

[danliker]

ok, i think i have found the bug ...

if you use fcgi the open_basdir and other php values are not set in http.include file ...

 

[IgorG]

If you have found bug, please describe it with details and instruction how it can be reproduced. I will submit bugreport to developers in this case.

 

[danliker]

what more do you need ?

 

[IgorG]

what more do you need ?

How phpshell http://phpshell.sourceforge.net/ can be installed to Plesk server without root access?

 

[danliker]

it is a php script, just download, unpack and upload it with ftp to an account with fcgi enabled and safe mode disabled ...

 

[Christian Roehl]

Use any user account on your plesk server (please use centos, debian is running fine). upload the files e.g. in your httpdocs folder. Configure the config.php with user, password. If there is any need I can prepare a server for limited time.

 

[IgorG]

Ok. Thank you for information and cooperation.
I have submitted corresponding request to developers.

 

[danliker]

any news on this bug ??

 

[IgorG]

This issue still under developer's investigation.

 

[danliker]

any news on this, it is realy a security problem !

 

[IgorG]

This issue still under developer's investigation.

 

[danliker]

any news on this ?

it is realy a security problem !