Facebook
Twitter
stevewest15
New Pleskian
Hello,
I thought we had our plesk servers pretty secure but it seems Plesk apache allows cgi scripts to read and access files across all customers. Any recommendations on how others handle securing their plesk servers from cgi/perl uploaded hacking tools?
We had a customer site hacked thru Joomla (php) and then hackers uploaded a cgi script specific to Plesk to scan all sites (ie /var/www/sites/*/httpdocs/) for sensitive files (like wp-config.php, configuration.php, etc). The hackers cgi script was able to make symlinks of other users sensitive files locally and I assume it was able to read those files as cgi/perl run as apache user. :-(
I'm checking w/ Plesk to see why on the Service Plan, the setting is enabled for "Restrict the ability to follow symbolic links" but at the subscription level, it's disabled for all customers. :-( I tested it on multiple Plesk servers and it seems enabling this setting at the service plan and running sync doesn't actually update at the plan level.
Would appreciate any helpful recommendation on what others are doing to better secure Plesk again CGI/Perl hacks which run as apache user instead of system user of subscription.
Thanks,
SW
I thought we had our plesk servers pretty secure but it seems Plesk apache allows cgi scripts to read and access files across all customers. Any recommendations on how others handle securing their plesk servers from cgi/perl uploaded hacking tools?
We had a customer site hacked thru Joomla (php) and then hackers uploaded a cgi script specific to Plesk to scan all sites (ie /var/www/sites/*/httpdocs/) for sensitive files (like wp-config.php, configuration.php, etc). The hackers cgi script was able to make symlinks of other users sensitive files locally and I assume it was able to read those files as cgi/perl run as apache user. :-(
I'm checking w/ Plesk to see why on the Service Plan, the setting is enabled for "Restrict the ability to follow symbolic links" but at the subscription level, it's disabled for all customers. :-( I tested it on multiple Plesk servers and it seems enabling this setting at the service plan and running sync doesn't actually update at the plan level.
Would appreciate any helpful recommendation on what others are doing to better secure Plesk again CGI/Perl hacks which run as apache user instead of system user of subscription.
Thanks,
SW
