K
knocx
Guest
Applies to all default Plesk installations including 7.5.6 without a patch
Directory traversal vulnerability:
=========================
By default ACL configurations are very poor& dangerous! each client on your server will have read&execute access to nearly everywhere on your system, this means that any client who can execute a php asp or perl script on his site can steal your MySQL DB raw files.
any client who can execute a php asp or perl script on his site is able to browse and steal other peoples access databases or confidential files located down their ftp root.
This ACL misconfiguration has never changed since 7.5 Reloaded release
as a proof you can use well known remview.php , or a similar asp file management and command execution utility tool and test your server
Plesk MySQL Database
======================
Normally plesk database is very naive and simple also very bad in terms of consistency. There are no COnstraints or foreign key defined. Their DB does not fit into any kind of known normal forms, chomskynormal form, 3rd normal form..etc.
And they use a very vulnerable old version of MySQL by default also, it is impossible to understand why they dont use latest versions since they do not have a comples table structures.
Plesk Passwords
======================
All passwords are stored in plain text, in such a vulnerable DB version...
SiteBuilder Malicious Code injection
=======================
Any one can upload a malware script via sitebuilder, file upload is protected with a lame javascript. disable scripts and upload whatever you want
Merak Mail Server
=======================
There are Major vulnerabilities on the 8.0 versions of Merak Plesk still can not support upper versions of merak.
Plesk has began to be too slow on the market , if it does like that they will loose a great market share in few months.
knocx
Directory traversal vulnerability:
=========================
By default ACL configurations are very poor& dangerous! each client on your server will have read&execute access to nearly everywhere on your system, this means that any client who can execute a php asp or perl script on his site can steal your MySQL DB raw files.
any client who can execute a php asp or perl script on his site is able to browse and steal other peoples access databases or confidential files located down their ftp root.
This ACL misconfiguration has never changed since 7.5 Reloaded release
as a proof you can use well known remview.php , or a similar asp file management and command execution utility tool and test your server
Plesk MySQL Database
======================
Normally plesk database is very naive and simple also very bad in terms of consistency. There are no COnstraints or foreign key defined. Their DB does not fit into any kind of known normal forms, chomskynormal form, 3rd normal form..etc.
And they use a very vulnerable old version of MySQL by default also, it is impossible to understand why they dont use latest versions since they do not have a comples table structures.
Plesk Passwords
======================
All passwords are stored in plain text, in such a vulnerable DB version...
SiteBuilder Malicious Code injection
=======================
Any one can upload a malware script via sitebuilder, file upload is protected with a lame javascript. disable scripts and upload whatever you want
Merak Mail Server
=======================
There are Major vulnerabilities on the 8.0 versions of Merak Plesk still can not support upper versions of merak.
Plesk has began to be too slow on the market , if it does like that they will loose a great market share in few months.
knocx