• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Removing Wappspector

jamie!

jamie!

New Pleskian
Server operating system version
AlmaLinux 9.3
Plesk version and microupdate number
18.0.59
Wappspector is being picked up by security scanners. Of course they are false positives, but with the amount of servers, there are a ton. Ignoring/clearing the issues is a pain.

Is it possible to remove Wappspector -- and without unintended consequences?
 
Hi, the Wappspector feature is provided as a part of core Plesk functionality for now - it's impossible to remove.

But it's interesting to know more about the security scanners: could you please provide a more detailed description of the issue you faced? We want to improve it to avoid such issues.

Thank you in advance.
 
Hi Anthony,

All of the frameworks and versions are flagged in Wiz as out-of-date web apps and corresponding CVEs, since it's method of detection is file path. We could certainly ignore since they are false positives, but as you can imagine, there are a ton of these (attached ss):
E.g.,

File /opt/psa/admin/plib/vendor/plesk/wappspector/test-data/wordpress/wordpress4.0/wp-includes/version.php version 4.0 is vulnerable to CVE-2017-9062, which exists in versions >= 4.0.0, <= 4.7.4.
 

Attachments

  • Screenshot 2024-03-18 at 10.33.15 AM.png
    Screenshot 2024-03-18 at 10.33.15 AM.png
    50.7 KB · Views: 10
@Anthony Thank you for looking into this so fast! I really appreciate it. But while this will fix a few CVE findings, others won't be resolved because WP v 4.9.25 is still is out of date with CVEs. It's also the frameworks as well and older versions that Wiz is flagging as vulnerabilities. For example, CodeIgniter is flagged:

Code: 
File /usr/local/psa/admin/plib/vendor/plesk/wappspector/test-data/codeigniter/4/vendor/codeigniter4/framework/system/CodeIgniter.php version 4.3.6 is vulnerable to CVE-2023-46240, which exists in versions >= 4.0.0, < 4.4.3.

I suspect the only way around this one, is to change the file path which Wiz scanner (and others) are looking for.
 

Attachments

  • Screenshot 2024-03-20 at 11.13.49 AM.png
    Screenshot 2024-03-20 at 11.13.49 AM.png
    144.6 KB · Views: 2
  • Screenshot 2024-03-20 at 11.13.41 AM.png
    Screenshot 2024-03-20 at 11.13.41 AM.png
    174.6 KB · Views: 2
You must log in or register to reply here.

Similar threads

L
Resolved Plesk Docker extension Stacks not picking local .env
Replies
2
Views
681
LytraX
L
K
Question Disable Plesk login link
Replies
1
Views
541
Sebahat.hadzhi
Sebahat.hadzhi
abanico
Issue Cannot upgrade Plesk, error with mariadb-maxscale in installer
Replies
4
Views
218
Raul A.
R
J
Issue So Many issues with Plesk -Email - System reboots
Replies
0
Views
557
jammer699669
J
G
Issue restore database to mariadb 11.7.2 (Docker) create 500 exception
Replies
1
Views
350
gbailey123
G
Back
Top