• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Removing Wappspector

jamie!

New Pleskian
Server operating system version
AlmaLinux 9.3
Plesk version and microupdate number
18.0.59
Wappspector is being picked up by security scanners. Of course they are false positives, but with the amount of servers, there are a ton. Ignoring/clearing the issues is a pain.

Is it possible to remove Wappspector -- and without unintended consequences?
 
Hi, the Wappspector feature is provided as a part of core Plesk functionality for now - it's impossible to remove.

But it's interesting to know more about the security scanners: could you please provide a more detailed description of the issue you faced? We want to improve it to avoid such issues.

Thank you in advance.
 
Hi Anthony,

All of the frameworks and versions are flagged in Wiz as out-of-date web apps and corresponding CVEs, since it's method of detection is file path. We could certainly ignore since they are false positives, but as you can imagine, there are a ton of these (attached ss):
E.g.,

File /opt/psa/admin/plib/vendor/plesk/wappspector/test-data/wordpress/wordpress4.0/wp-includes/version.php version 4.0 is vulnerable to CVE-2017-9062, which exists in versions >= 4.0.0, <= 4.7.4.
 

Attachments

  • Screenshot 2024-03-18 at 10.33.15 AM.png
    Screenshot 2024-03-18 at 10.33.15 AM.png
    50.7 KB · Views: 10
@Anthony Thank you for looking into this so fast! I really appreciate it. But while this will fix a few CVE findings, others won't be resolved because WP v 4.9.25 is still is out of date with CVEs. It's also the frameworks as well and older versions that Wiz is flagging as vulnerabilities. For example, CodeIgniter is flagged:

Code:
File /usr/local/psa/admin/plib/vendor/plesk/wappspector/test-data/codeigniter/4/vendor/codeigniter4/framework/system/CodeIgniter.php version 4.3.6 is vulnerable to CVE-2023-46240, which exists in versions >= 4.0.0, < 4.4.3.

I suspect the only way around this one, is to change the file path which Wiz scanner (and others) are looking for.
 

Attachments

  • Screenshot 2024-03-20 at 11.13.49 AM.png
    Screenshot 2024-03-20 at 11.13.49 AM.png
    144.6 KB · Views: 2
  • Screenshot 2024-03-20 at 11.13.41 AM.png
    Screenshot 2024-03-20 at 11.13.41 AM.png
    174.6 KB · Views: 2
Back
Top