Facebook
Twitter
K
Killswitch
Guest
You should get rid of Mambo, as there are several security flaws. Upgrade to Joomla 1.0.11 at joomla.org ( I use latest, its nice).
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
D
detach8
Guest
Apart from the debate about SWsoft and their responsibilities...
I don't have time for this as I am running 3 jobs and I work almost 12 hours a day. Would anybody be so kind to explain (in brief) the exploit posted on the first page of this thread (i.e. how does it work and what does it do) so that many of us can benefit from it and tune our servers
Back on the debate:
As for /tmp, it is supposed to be a globally writable directory, otherwise it wouldn't be called /tmp
If you want a secure PHP hosting solution, don't use a control panel. Just install custom Apache, custom PHP with suPHP or whatever other PHP security mods, custom SSH, custom FTP... I do that for my mission critical servers.
I don't have time for this as I am running 3 jobs and I work almost 12 hours a day. Would anybody be so kind to explain (in brief) the exploit posted on the first page of this thread (i.e. how does it work and what does it do) so that many of us can benefit from it and tune our servers
Back on the debate:
As for /tmp, it is supposed to be a globally writable directory, otherwise it wouldn't be called /tmp
If you want a secure PHP hosting solution, don't use a control panel. Just install custom Apache, custom PHP with suPHP or whatever other PHP security mods, custom SSH, custom FTP... I do that for my mission critical servers.
M
Markus@
Guest
all site shave acces to /tmp via php.
upload script to /tmp and execute it.
voila, you have root access.
Plesk Linux & Windows is infected with this serious security bug.
disabling scripts execution in /tmp will let half plesk crash.
there is no rewrite or plesk will fail(mysql, postgresal, spamassassin...)
upload script to /tmp and execute it.
voila, you have root access.
Plesk Linux & Windows is infected with this serious security bug.
disabling scripts execution in /tmp will let half plesk crash.
there is no rewrite or plesk will fail(mysql, postgresal, spamassassin...)
M
Markus@
Guest
so, you have a php script.
- create an upload form in it.
- upload a perl cgi file to /tmp where php gives access to
- set a crontab to execute /tmp/perlscript
voila, you have full root access.
for example, if you set SYSTEM('rm -fr /'); in this perl script it removes the entire disc as far as possible.
/tmp has root access, via php you get chrooted access to tmp but you still can execute any script with any command via /tmp, where root AND plesk users has access to.
- create an upload form in it.
- upload a perl cgi file to /tmp where php gives access to
- set a crontab to execute /tmp/perlscript
voila, you have full root access.
for example, if you set SYSTEM('rm -fr /'); in this perl script it removes the entire disc as far as possible.
/tmp has root access, via php you get chrooted access to tmp but you still can execute any script with any command via /tmp, where root AND plesk users has access to.
M
Markus@
Guest
if somebody has a plesk server and want to do it for you, i record it on video divx and send it to you.
ITS EASY TO CRACK DOWN, Linux and Windows.
And don't forget, Linux has no descend repair fucntion, only windows had.
It will take you months to rebuild your server and you cannot secure it or Plesk will fail.
ITS EASY TO CRACK DOWN, Linux and Windows.
And don't forget, Linux has no descend repair fucntion, only windows had.
It will take you months to rebuild your server and you cannot secure it or Plesk will fail.
T
Traged1
Guest
Hmm, this cannot happen if you mount your /tmp partition with noexec,no_su options.
Edit your /etc/fstab file from:
LABEL=/tmp /tmp ext3 defaults 1 2
TO:
LABEL=/tmp /tmp ext3 loop,noexec,nosuid,rw 0 0
Then it does not matter what the users upload to your tmp partition as they cannot execute any files within the /tmp partition
N
NightStorm
Guest
That is not entirely accurate. I've seen it proven wrong by making a direct call. Example:
/usr/bin/perl /tmp/c.pl
Mounting /tmp with noexec is a false promise of security... it alone will not help.
A good set of mod_security rules will help. This is a feature available with cPanel, and Plesk should look into writing it as a plugin into Plesk, instead of spending their time developing the Gameserver module.
Running updated software will help. Charging users for the use of the Application Vault, then distributing software in it that is a year out of date and full of security holes does nothing to help this.
Better defined Firewall rules will help. swosft was onto something with the Firewall module. Unfortunately, it was **** and not nearly controllable enough for it's purpose.
Enabling Safe_mode by default was a good call, but it's only good so long as the admin doesn't disable it. It would also help if they synched this with the Application Vault, as a number of programs in there whine that Safe_Mode needs to be turned off for them to work.
Locking down php would help. swsoft would excel over other Control Panels if they set up a simple Administration panel that allowed users to tweak their php.ini file... disable certain commands, register_globals configuration, and such.
The list of security steps that other Control Panels have tackled and swsoft has steared away from, or bundled as "premium packages" continues to grow. And all the while, Plesk users are beginning to feel like beta testers... backup features not working, spam filtering going through the floor, system crashes... it's hard to have a stable and secure server when you can't back it up without having to pay an additional $100 to buy the software to do it, when it should already be included.
Anyway, ranting. While swsoft should not be expected to run the server for the people, they are most definately dropping the ball on their Control Panel, in hopes of making more money with their other services. Think back to before Plesk 5, when they were more focused on good software, and less focused on the money that came from it.
/usr/bin/perl /tmp/c.pl
Mounting /tmp with noexec is a false promise of security... it alone will not help.
A good set of mod_security rules will help. This is a feature available with cPanel, and Plesk should look into writing it as a plugin into Plesk, instead of spending their time developing the Gameserver module.
Running updated software will help. Charging users for the use of the Application Vault, then distributing software in it that is a year out of date and full of security holes does nothing to help this.
Better defined Firewall rules will help. swosft was onto something with the Firewall module. Unfortunately, it was **** and not nearly controllable enough for it's purpose.
Enabling Safe_mode by default was a good call, but it's only good so long as the admin doesn't disable it. It would also help if they synched this with the Application Vault, as a number of programs in there whine that Safe_Mode needs to be turned off for them to work.
Locking down php would help. swsoft would excel over other Control Panels if they set up a simple Administration panel that allowed users to tweak their php.ini file... disable certain commands, register_globals configuration, and such.
The list of security steps that other Control Panels have tackled and swsoft has steared away from, or bundled as "premium packages" continues to grow. And all the while, Plesk users are beginning to feel like beta testers... backup features not working, spam filtering going through the floor, system crashes... it's hard to have a stable and secure server when you can't back it up without having to pay an additional $100 to buy the software to do it, when it should already be included.
Anyway, ranting. While swsoft should not be expected to run the server for the people, they are most definately dropping the ball on their Control Panel, in hopes of making more money with their other services. Think back to before Plesk 5, when they were more focused on good software, and less focused on the money that came from it.
M
Markus@
Guest
Originally posted by Traged1
Hmm, this cannot happen if you mount your /tmp partition with noexec,no_su options.
Edit your /etc/fstab file from:
LABEL=/tmp /tmp ext3 defaults 1 2
TO:
LABEL=/tmp /tmp ext3 loop,noexec,nosuid,rw 0 0
Then it does not matter what the users upload to your tmp partition as they cannot execute any files within the /tmp partition
DID YOU READ MY POST.
Mounting /tmp with NOEXEC does NOT HELP.
IT WILL SMASH PLESK PSA DATABASE AND SEVERAL OTHER FUNCTIONS WILL FAIL.
Mysql fail, and you can do an serieus rpm -e command wich will take days.
Its because mysql uses /tmp and with noexec it starts messing up all services. Spamassassin, psa database, postgresql..........
HELLO!!!!!!!!!!!!!!!!!!!!!
If you upload a script via php from your site to the /tmp (wich is an openbasedir folder) you can upload AND execute any script as ROOT.
So please do not stupid by telling to use noexec in the mounting table because it will 1 give a mounting error(but startup is still possible) 2 it will fail entire plesk and all websites 3 it will corrupt your database.
I HAVE TRIED THE WHOLE WAY.
P
panaman
Guest
um.. wrong.. anyway.. there are ways around executing scripts in /tmp even if it has the noexec like having perl scripts execute them.. but you should mount your /tmp with noexec and also do a symlink for /var/temp to /tmp
Also It is impossible for plesk to make /tmp noexec, especially if you installed your OS like a moron and did not make /tmp a seperate file system.
V
vaoffroader
Guest
I have Plesk running fine with /tmp directory mounted as noexec. As has been stated several times before you need to have someone take a look at your server since it is plainly obvious you don't know what your doing.
T
Traged1
Guest
I have tested this perssonally on our RHEL linux servers many times over, so don't tell me that you can become root in a partition that has been mounted with nosuid flag. PERIOD. IT WILL NOT HAPPEN on RHEL 3 or 4.
T
Traged1
Guest
You are a moron, please go back to school and learn some mannors
We have been running PLESK on RHEL for over 3 years with the /tmp partition locked down, it has been working just fine and we have not had any corruption of our databases, and we server over 1500 websites from those servers, all of which have been up and runnning at a load of .30 for over 2 years at 99.8% uptime.
P
panaman
Guest
same thing as the canuck
M
Markus@
Guest
create me a plesk account, and i will show you.
i will not take your server, just to proof.
i will not take your server, just to proof.
M
Markus@
Guest
1) MYSQL STARTUP WILL FAIL BECAUSE IT NEEDS EXEC FUNTION IN /TMP
2) IT WILL GIVEM OUNTING ERRORS WHEN BOOTING(SEE YOUR BOOTING SCREEN)
3) MYSQL IS NEEDED TO RUN DATABASES FOR SPAMASSISSIN
4) MYSQL IS NEEDED TO RUN PLESK PANEL, because upgrades works via the socket it will **** up your database when upgrading. (or clean installing)
Sorry i am beign rude, i just did the same you did! NOEXEC /tmp
It did not work on 3 servers, RHEL3, RHEL4 and CENTOS4.4 FINAL.
M
Markus@
Guest
Sorry i am beign rude, but PLESK IS HAVING TROUBLES SINCE 2.5.
1) NOT ONE UPGRADE WENT SMOOTHLY SINCE 2.5
2) SERVERS WHERE HACKED SEVERAL TIMES
3) BACKUP IS NOTWORKING AS IT SHOULD BE
4) FIRST NO SECURITY, NOW OVERLOADED SECURITY, OR BETTER, UNCOMPLETED, CHECK http://forum.swsoft.com/showthread.php?s=&threadid=36445
6 MONTHS DAY AND NIGHT CUSTOMER SUPPORT I AM GIVING NOW.
BYE BYE PLESK.
I AM REFUSING TO PAY FOR MY LICENSES NOW.
1) NOT ONE UPGRADE WENT SMOOTHLY SINCE 2.5
2) SERVERS WHERE HACKED SEVERAL TIMES
3) BACKUP IS NOTWORKING AS IT SHOULD BE
4) FIRST NO SECURITY, NOW OVERLOADED SECURITY, OR BETTER, UNCOMPLETED, CHECK http://forum.swsoft.com/showthread.php?s=&threadid=36445
6 MONTHS DAY AND NIGHT CUSTOMER SUPPORT I AM GIVING NOW.
BYE BYE PLESK.
I AM REFUSING TO PAY FOR MY LICENSES NOW.
JLChafardet
Regular Pleskian
man if all you will do is flame about plesk, STOP USING IT AND SHUT UP.
this thread is begining to get tiresome, i HAVE NEVER HAD an upgrade with problems.
I HAVE NEVER BEEN HACKED, MY BACKUPS WORKS THE WAY THEY SHOULD (I TEST THE BACKUP AND RESTORE OFTEN) and I TAKE CARE OF MY SERVER SECURITY.
I secured my tmp, i installed mod_security (with a very strict ruleset) and mod_evassive, I check my logs, run my firewall (APF/BFD), update and custom compile my kernels (monolithic usually), patch everything that needs to be patched, and try at my best to keep records of what happens on the server.
I see you will be flaming about whatever control panel you get to your box, because your lame way of complaining for something SW-SOFT has no responsability of.
About the Application Vault, none of the distributors of "packages" like it, is responsible for upgrading them, they usually do them as a way for our clients to easy-install applications that normally for an unexperienced user can take up hours even days.
if you dont want X or Y application runing on your server, delete it from the application vault, and create a TOS/AUP where you ban them and let your clients know that if they install it, they will get suspended.
get a life, grow, learn and then maybe you wont need to flame on forums about things this trivial.
this thread is begining to get tiresome, i HAVE NEVER HAD an upgrade with problems.
I HAVE NEVER BEEN HACKED, MY BACKUPS WORKS THE WAY THEY SHOULD (I TEST THE BACKUP AND RESTORE OFTEN) and I TAKE CARE OF MY SERVER SECURITY.
I secured my tmp, i installed mod_security (with a very strict ruleset) and mod_evassive, I check my logs, run my firewall (APF/BFD), update and custom compile my kernels (monolithic usually), patch everything that needs to be patched, and try at my best to keep records of what happens on the server.
I see you will be flaming about whatever control panel you get to your box, because your lame way of complaining for something SW-SOFT has no responsability of.
About the Application Vault, none of the distributors of "packages" like it, is responsible for upgrading them, they usually do them as a way for our clients to easy-install applications that normally for an unexperienced user can take up hours even days.
if you dont want X or Y application runing on your server, delete it from the application vault, and create a TOS/AUP where you ban them and let your clients know that if they install it, they will get suspended.
get a life, grow, learn and then maybe you wont need to flame on forums about things this trivial.
P
panaman
Guest
AMEN!
C
cmbnetwork
Guest
If you both are so sure, why nobody creates me an account so i can show it to you.
And no problems with backups and upgrades!
Are so sure you are using Plesk? Because i do not belive jack sjiiit from it.
And no problems with backups and upgrades!
Are so sure you are using Plesk? Because i do not belive jack sjiiit from it.
C
cmbnetwork
Guest
You tell you are using RHEL3.0
I had multiple clean RHEL3.0 installs.
NOT ONE UPGRADE WENT GOOD, NOT ONE BACKUP WORKED.
Are you using language pack,s are you using webapps, are you using dr web? Are you? And even without not one upgrade worked, but not one, exactly same for backups and restores, migration and security.
I had multiple clean RHEL3.0 installs.
NOT ONE UPGRADE WENT GOOD, NOT ONE BACKUP WORKED.
Are you using language pack,s are you using webapps, are you using dr web? Are you? And even without not one upgrade worked, but not one, exactly same for backups and restores, migration and security.
Similar threads
