1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Security issues?

Discussion in 'Plesk for Windows - 8.x and Older' started by knocx, Mar 17, 2005.

  1. knocx

    knocx Guest

    0
     
    We have been in hosting industry since 1999 Both Linux and Windows
    we have started using PLESK on our windows platforms (we cureently use it on linux already)

    But there are a lot of problems with the initial client domain setup

    - Clients Can not See ASP debug error messages (this is a real pain)
    - By default clients can not write to their access Databases (this is a real pain)
    - Skeleton needs a DB folder with IIS_Client_User can read write whe clients may put their access DB
    - Upload scripts wont work
    We have to do many manual configuration after creating the domain in PLESK


    The Apropriate Skeleton Should be like that


    logs
    ...etc
    ...etc
    httpdocs ----> R/W/M IIS_Web_User/whateverdomain.com
    httpsdocs ----> R/W/M IIS_Web_User/whateverdomain.com
    DB ----> R/W/M IIS_Web_User/whateverdomain.com
    ...etc
    webusers

    They say its because of security :) what kind of a security is this? people can not write to their databases...
    it is just a misconfiguration... not a security risk


    Here is a Security Risk:
    *********

    there were some other directory traversal vulnerabilities in PLESK that i have posted to support
    with a proof of concept code written in ASP, that i dont want to disclose here

    they said theses vulns will be fixed in next patch however they claim that they can not fix the default skeleton permissions
    because of the security issues!

    what kind of a security is this? people can not write to their databases, but can read any ones database or emails with a
    simple ASP Script!
    *********


    Unless the skeleton is not re-organized as i had suggested PLESK Win will stay problematic & and will be hard to use.

    Any One Would Like to Discuss Security on Windows are Welcomed

    Regards
     
  2. ATK+

    ATK+ Guest

    0
     
    well done

    That is right .
    I founded this problem ( ASP file access ) before and mail it to support team ( you can upload file too (for example a Trojan in desktop folder of administrator ;) !!! (tested on Plesk 6.5 ) ) !!!! . ( this occur because plesk used one application pool for all site that solved in 7 and in 7.5 again get … … … … . !! ) .

    And really one DB folder is necessity ( but IIS default application configuration prevention access to upper folder :( ) (so time consuming for use to give iis User access to one folder ,,,, and so bad when you want to transfer domains or your server ,, woooooooffffff , backup restore not support permeations )

    Security hole is more and more some of then we don’t know about it and some of them most be hidden . but we have just hope :) .
     
  3. knocx

    knocx Guest

    0
     
    well ... however i do not declare my self as a programming guru
    i have BSc, MSc and PhD in CS , a CISSP cert, and a CCNP cert


    we run a hosting company since 1999 and deal with lots of security issues ,

    i hope PLESK will consider some of my suggestions , i know that most of the programmers lacks security :) thats because they are programmers not security gurus.

    Consider that most plesk admins wont be familiar with manual setups and they wont be able to re-configure the inproper plesk setup, plesk for sure, will get too many complains about this problem.
     
  4. GMSoftware

    GMSoftware Guest

    0
     
    I also have serious (and unresolved) issues with Access databases. Using Plesk 7 on Windows 2003 Standard Edition. MDAC is fully up-to-date.

    I have open a ticket with Plesk 6 months ago. After exchange of tens and tens of messages, the problem is still not resolved. The Plesk technicians seem to be completely incompetent in this area. I have escalated this to the highest level at SW-Soft without getting resolution. Once again, this has been going on for 6 months. I am pissed off with their catastrophic support. This should be a very basic thing to resolve though. Everybody supports Access databases in Windows hosting!

    Have you solved your own Access database WRITE issues? I am desperate finding the solution.

    Thanks in advance.

    Gilles
     
  5. knocx

    knocx Guest

    0
     
    Hello GMSoftware;

    Sorry but the only solution to make an acces DB writable is to manualy give write permission to the IIS User :)

    Well PLESK must handle this problem asap, otherwise problems will arise and arise...
     
  6. ColorPrint

    ColorPrint Guest

    0
     
    In Plesk 7.5 I'm granted write and read rights for mdb-file for Plesk IIS WP user and deny write&read rights for Plesk IIS user (to prevent database file access via browser), and all works fine
     
  7. knocx

    knocx Guest

    0
     
    yes its OK but,

    you do it manually what makes difference?
     
  8. bonezpat

    bonezpat New Pleskian

    22
    53%
    Joined:
    May 29, 2005
    Messages:
    18
    Likes Received:
    0
    has anything been changed by now?

    i am still encountering problems with access db's.

    In some webs it works in some not!

    ??? i really don't understand it. i have the same setting f.e. in 2 "domains" and in one the access db is writeable the other throws a: ... need an updatable querie

    Has anybody a 100% solution and guide?

    Saludos
    Pat

    Hope 7.5.4 will have some improvements on this!
     
  9. AbsolutelyFreeW

    AbsolutelyFreeW Guest

    0
     
    knocx, and atk+, could you please send me info about the vulnerbilities yuo have found, and how to secure them?

    I too call for a directory change and an addition of a db folder.

    another security note: plesk is instaled with a open ssl version that is vulnerable to DoS attacks. Has anyone on windows,

    1. used stunnel to run SSL over POP3, or other apps ?
    2. upgraded stunnel/opeen ssl?
    3. knows exactly how it is currently used in plesk ?

    your help greatly appreciated!

    (currently still on 7.0.3, waiting for 7.5 to be stable enough?? )
     
  10. SupermanInNY

    SupermanInNY Guest

    0
     
    With regards to the Errors with Access , do you have Custom Error Pages checked as ON in that domain?

    Client -> Domain -> Setup -> (roll down to the very end, and see if Custom Error Pages is checked).

    Unchecking the Custom Error Pages will show you the errors.

    Second,.. as for the MDB permissions, what I do is:

    In the IIS, I have changed the Default to allow Parent Paths and direct all my users to place the MDB files in the private directory (same level as httpdocs).

    Then, use the File Manager in Plesk and ADD the WRITE permissions to the MDB file.. - The only Addition is providing Anonymous User the WRITE permission.
    Don't change anything else.

    Once that is done,. the MDB file can read/write and is safely tucked in a non public area, so it cannot be downloaded.

    Hope that Helps.

    -Alon.
     
Loading...