Plesk Default installation Vulnerabilities

[knocx]

Applies to all default Plesk installations including 7.5.6 without a patch


Directory traversal vulnerability:
=========================

By default ACL configurations are very poor& dangerous! each client on your server will have read&execute access to nearly everywhere on your system, this means that any client who can execute a php asp or perl script on his site can steal your MySQL DB raw files.

any client who can execute a php asp or perl script on his site is able to browse and steal other peoples access databases or confidential files located down their ftp root.

This ACL misconfiguration has never changed since 7.5 Reloaded release

as a proof you can use well known remview.php , or a similar asp file management and command execution utility tool and test your server

Plesk MySQL Database
======================
Normally plesk database is very naive and simple also very bad in terms of consistency. There are no COnstraints or foreign key defined. Their DB does not fit into any kind of known normal forms, chomskynormal form, 3rd normal form..etc.

And they use a very vulnerable old version of MySQL by default also, it is impossible to understand why they dont use latest versions since they do not have a comples table structures.

Plesk Passwords
======================
All passwords are stored in plain text, in such a vulnerable DB version...

SiteBuilder Malicious Code injection
=======================
Any one can upload a malware script via sitebuilder, file upload is protected with a lame javascript. disable scripts and upload whatever you want

Merak Mail Server
=======================
There are Major vulnerabilities on the 8.0 versions of Merak Plesk still can not support upper versions of merak.

Plesk has began to be too slow on the market , if it does like that they will loose a great market share in few months.


knocx

 

[matija]

Plesk has began to be too slow on the market , if it does like that they will loose a great market share in few months.

Alternative?
I've looked at other CP's, but none offer as much as Plesk...

 

[knocx]

Critisism does not means there exists an alternative

PLESK is so naive , unsecure and fragile that i can not believe that Sw-soft developers are actually developing it.

 

[FFCus]

I haven't investigated all of these issues, but I was astonished when I first saw that all passwords are stored in plain text in the database. Adding PW encryption and fixing all other security bugs should be the main priority before any further feature upgrades occur.

 

[knocx]

FFCus

the lack of security you are mentioning is very minor among the others please test plesk with a simple file manager that accepts physical paths as arguments

i.e browse to C:\Program Files\Swsoft\MySQL you will surprise even worse browse your vhosts directory....

 

[FFCus]

Originally posted by knocx
FFCus

the lack of security you are mentioning is very minor among the others please test Plesk with a simple file manager that accepts physical paths as arguments

i.e browse to C:\Program Files\Swsoft\MySQL you will surprise even worse browse your vhosts directory....

I look at not encrypting passwords in a database more as lazy than anything else. Perhaps there is a very good reason they didn't take the time to write encryption/decryption functions -- I'd love to hear their answer.

I took a look into remview.php. Every time I go to a page that has the code for download, Norton Antivirus pops up with a virus alert for "Hacktool".

Kudos to Norton for stopping that! Now I need to see what the AV on my server does when I try to download it.

 

[FFCus]

WOW...

I just put renview.php (http://php.spb.ru/remview/) into a domain of a very limited user and ran it.

It gave the anonymous web browser a gimpse every frickin' file on the server.

SWSoft...have you seen this? Have you tried this?

What can be done to stop this?

 

[knocx]

only if you could know what you can do with ASP .NET ,

ASP .NET works as Nework Account and onecan do anything execute commandshell etc if you do not harden your system or apply a shared hosting policty,

 

[lboss]

File security installed by default in Windows allow read and execute privileges in many paths in system (for example in Program files) for users group. In result you can view files many files on server through web scripts. Other problem is we don’t prohibit access for MySQL files in our installation and it is disappointing mistake. We published hotfix to fix it.

Please, do one of the following:
1. Install hotfix 060209.17 (http://download1.swsoft.com/Plesk/Autoupdate/plesk7.5.6_update060209.17.msp), after that run reconfigurator and repair file security
2. Install hotfix 060309.18 (ftp://download1.swsoft.com/Plesk/Autoupdate/Plesk7.5.x_SecurityUpdate060309.18.msi)
3. Run Plesk AutoUpdater and install offered patches

 

[knocx]

Unless you dont remove psacln group i cant say that plesk is secure



OK lets say there is a patch for it ... how about .NET ?



By Default plesk does not configures .NET trust Policy and each .NET script executed in full trust enviroment as the Network account which can execute any thing in the system

 

[FFCus]

Originally posted by lboss
File security installed by default in Windows allow read and execute privileges in many paths in system (for example in Program files) for users group. In result you can view files many files on server through web scripts. Other problem is we don’t prohibit access for MySQL files in our installation and it is disappointing mistake. We published hotfix to fix it.

Please, do one of the following:
1. Install hotfix 060209.17 (http://download1.swsoft.com/Plesk/Autoupdate/plesk7.5.6_update060209.17.msp), after that run reconfigurator and repair file security
2. Install hotfix 060309.18 (ftp://download1.swsoft.com/Plesk/Autoupdate/Plesk7.5.x_SecurityUpdate060309.18.msi)
3. Run Plesk AutoUpdater and install offered patches

I will look into these hotfixes. For future reference, where are these hotfixes announced? I never get the notification via email and I don't recall seeing them announced in the forum. Were they?

Maybe SWSoft could set up an RSS feed for server admins to always be up on the news.

 

[matija]

Originally posted by FFCus
Maybe SWSoft could set up an RSS feed for server admins to always be up on the news.

Agreed. I check SWsoft download section every day in hope of new update/hotfix... RSS would be great, or al least to enable mailing list which we all signed up for...

 

[IIS06new]

yes, an RSS feed would be nice

 

[BeeJee]

I got a notification from the plesk autoupdater today about:

Plesk security update 060314.13

I've got some questions:
What exactly does the update do? What are the new permissions? Is a reboot required?

Altering permissions is a big change and could mess things up on a server... There for, I need a lot more info then just:
"default file and folder security settings corrected to prevent unauthorized access."

 

[lboss]

1. I think it is very bad idea to describe details about security problems in any product. Because hackers and other malicious people can use this information to hack servers.
2. This patch only fix problem described in first post.

 

[BeeJee]

Originally posted by lboss
1. I think it is very bad idea to describe details about security problems in any product. Because hackers and other malicious people can use this information to hack servers.
2. This patch only fix problem described in first post.

And what if after the update all custom permissions that have been set around the system aren't working anymore?
The above info is already sufficient for a hacker to get into about every plesk Windows server at this moment...
NOT giving details about the problem would be an even worse idea.
Now an administrator doesn't know what plesk is exactly doing on his system. It could be that some things need further adjustments on a specific server. Now it only takes more time to figure things out...

 

[lboss]

Please, communicate with SWsoft support. They will help you.

 

[Nuno Mendes]

I've already did what lboss describes on post 10 of this thread but I am still able to navigate, through the remview script, outside of a given site dir.

Is there any way to prevent it?

 

[knocx]

php , asp and asp .NET works in different accounts.

.NET Works with Network Account (very vulnerable unless you edit your machine config , web.config files in c:\windows\Microsoft.NET\frame work version\config\)

however plesk runs its own application pool in local account it is still vulnerable to directory traveral , code execution vulnerabilities.

Plesk can not support the latest versions of the softwares on Windows i.e it still can not support Merak 8.3.x , cause it uses sill filters plugged into SMTP servers, Do a search for merak 8.x vulnerabilities, by default plesk installation you have a default vulnerability for Merak Webmail.

with php and asp you can traverse all the folders where psacln group has read access this makes plesk ACL configurations vulnerable. because each IUSR is member of psacln group which is absolutely a mis-configuration

active state perl has vulnerabilities for code execution if you use Aw-Stats , upgrade patch your perl or they will knock you off.

MySQL versions plesk uses had a vulnerability for code execution plesk released a very "late" patch for it

Site buider for Wndows is also vulnerable file upload is just protected with a javascript , meaning that any one can upload malicious code (like remview) as if it is an image, to your system

Here is what we did we dumped 1000 clients (1500 domains) on Windows PSA as they were compromised constantly, and started to program our own control panel for windows.


Wndows is a vulnerable OS by Default , Most of the services runs as SYSTEM , so if an exploit exists for any of the services you run on your system then the attacker receives a command prompt with the rights of SYSTEM where he can add a user to the administrators group.

When an attacker gains some acces to your system he will probably try to install a light weight vulnerable version of serv-u , or some other tool where there exists an exploit. after that that he will run the exploit and become the SYSTEM.

What is missing for IIS is a web application firewall like apache Mod_Security , where you can analyse and filter the posted URL


knocx

 

[world800]

Has anyone tried

ThreatSentry
http://www.privacyware.com/intrusion_prevention.html

which looks like a mod_security for IIS except it is not GPL software?