• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

PCI Compliance: jsw.js

U

ukOliverS

New Pleskian
Hey,

On performing a PCI compliance scan from SecurityMetrics against a fully patched Plesk server (11.5):

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<patches>
<product id="plesk" version="11.5.30" installed-at="20130821T010234">
<patch version="13" timestamp="" installed-at="20130824T112258" />
</product>
</patches>
Click to expand...

The following issue is highlighted:

Description: CGI Generic Command Execution (time-based)
Synopsis: It may be possible to run arbitrary code on the remote web server.

Impact: The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By
leveraging this issue, an attacker may be able to execute arbitrary commands on the remote host.
Note that this script uses a time-based detection method which is less reliable than the basic method.



Data Received: Using the GET HTTP method, SecurityMetrics found that :
+ The following resources may be vulnerable to arbitrary command execution (time based) :
+ The '1376892702' parameter of the /javascript/jsw.js CGI : /javascript/jsw.js?
1376892702=%7C%7C%20sleep%2021%20%26
-------- output -------- // Copyright 1999-2012. Parallels IP Holdings GmbH. All Rights Reserved. /*
JavaScript Widgets */
Jsw = {
version: '1.0', baseUrl: '',
_registredComponents: null, _initOnReady: false, [...] ------------------------
Click to expand...

SM are happy to mark it as a false positive but first need to clarify exactly what this file does. Suspect this is a false positive but would appreciate some input from Parallels.
 
Judging by the source (available at /usr/local/psa/admin/htdocs/javascript/jsw.js) it's just a JavaScript library. Since it is served as static content, it couldn't be affected by any GET parameters, IMO. Therefore this time-based check should be a false positive. You should probably wait for the official comment though.
 
1376892702 is a timestamp. It's needed to control browser cache and nothing more. If jsw.js changed on the server (new version of Plesk was installed) new timestamp will be generated, that will force the browser to repeat request for jsw.js instead of using file retrieved earlier. File jsw.js is a static JavaScript file and its content could not be affected anyhow by GET parameters.
 
You must log in or register to reply here.

Similar threads

danami
Input Sentinel Anti-malware Extension for Plesk
Replies
6
Views
3K
danami
danami
raytracy
Resolved Backup job cannot find domain?
Replies
2
Views
1K
raytracy
raytracy
J
Vulnerability in ProFTP 1.3.3d (PCI Compliance)
Replies
4
Views
3K
JohnToTheK
J
D
Help with PCI compliance | SMTP SSL | Courier IMAP | Port 3306
Replies
2
Views
5K
Deoxymono
D
D
PCI Compliance Issues
Replies
2
Views
2K
Jllynch
Jllynch
Back
Top