• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

PCI Compliance: jsw.js

U

ukOliverS

New Pleskian
Hey,

On performing a PCI compliance scan from SecurityMetrics against a fully patched Plesk server (11.5):

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<patches>
<product id="plesk" version="11.5.30" installed-at="20130821T010234">
<patch version="13" timestamp="" installed-at="20130824T112258" />
</product>
</patches>
Click to expand...

The following issue is highlighted:

Description: CGI Generic Command Execution (time-based)
Synopsis: It may be possible to run arbitrary code on the remote web server.

Impact: The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By
leveraging this issue, an attacker may be able to execute arbitrary commands on the remote host.
Note that this script uses a time-based detection method which is less reliable than the basic method.



Data Received: Using the GET HTTP method, SecurityMetrics found that :
+ The following resources may be vulnerable to arbitrary command execution (time based) :
+ The '1376892702' parameter of the /javascript/jsw.js CGI : /javascript/jsw.js?
1376892702=%7C%7C%20sleep%2021%20%26
-------- output -------- // Copyright 1999-2012. Parallels IP Holdings GmbH. All Rights Reserved. /*
JavaScript Widgets */
Jsw = {
version: '1.0', baseUrl: '',
_registredComponents: null, _initOnReady: false, [...] ------------------------
Click to expand...

SM are happy to mark it as a false positive but first need to clarify exactly what this file does. Suspect this is a false positive but would appreciate some input from Parallels.
 
Judging by the source (available at /usr/local/psa/admin/htdocs/javascript/jsw.js) it's just a JavaScript library. Since it is served as static content, it couldn't be affected by any GET parameters, IMO. Therefore this time-based check should be a false positive. You should probably wait for the official comment though.
 
1376892702 is a timestamp. It's needed to control browser cache and nothing more. If jsw.js changed on the server (new version of Plesk was installed) new timestamp will be generated, that will force the browser to repeat request for jsw.js instead of using file retrieved earlier. File jsw.js is a static JavaScript file and its content could not be affected anyhow by GET parameters.
 
You must log in or register to reply here.

Similar threads

iain
Question PCI compliance - Postfix EXPN/VRFY issue
Replies
1
Views
649
iain
iain
P
Issue Can kernel be updated in Centos without breaking Plesk.
Replies
2
Views
2K
Bitpalast
Bitpalast
akira9000
Resolved Just had a bumpy ride upgrading from Plesk 17.8.11 to Obsidian 18.0.28
Replies
10
Views
2K
akira9000
akira9000
Mark12345
Issue A+ SSL/TLS Test - PCI Compliance - Ciphers - Oh My
Replies
8
Views
4K
Mark12345
Mark12345
R
With PCI Compliance enabled, Horde Webmail stops working
Replies
1
Views
1K
B_P
B
Back
Top