• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Security issues?

K

knocx

Guest
We have been in hosting industry since 1999 Both Linux and Windows
we have started using PLESK on our windows platforms (we cureently use it on linux already)

But there are a lot of problems with the initial client domain setup

- Clients Can not See ASP debug error messages (this is a real pain)
- By default clients can not write to their access Databases (this is a real pain)
- Skeleton needs a DB folder with IIS_Client_User can read write whe clients may put their access DB
- Upload scripts wont work
We have to do many manual configuration after creating the domain in PLESK


The Apropriate Skeleton Should be like that


logs
...etc
...etc
httpdocs ----> R/W/M IIS_Web_User/whateverdomain.com
httpsdocs ----> R/W/M IIS_Web_User/whateverdomain.com
DB ----> R/W/M IIS_Web_User/whateverdomain.com
...etc
webusers

They say its because of security :) what kind of a security is this? people can not write to their databases...
it is just a misconfiguration... not a security risk


Here is a Security Risk:
*********

there were some other directory traversal vulnerabilities in PLESK that i have posted to support
with a proof of concept code written in ASP, that i dont want to disclose here

they said theses vulns will be fixed in next patch however they claim that they can not fix the default skeleton permissions
because of the security issues!

what kind of a security is this? people can not write to their databases, but can read any ones database or emails with a
simple ASP Script!
*********


Unless the skeleton is not re-organized as i had suggested PLESK Win will stay problematic & and will be hard to use.

Any One Would Like to Discuss Security on Windows are Welcomed

Regards
 
well done

That is right .
I founded this problem ( ASP file access ) before and mail it to support team ( you can upload file too (for example a Trojan in desktop folder of administrator ;) !!! (tested on Plesk 6.5 ) ) !!!! . ( this occur because plesk used one application pool for all site that solved in 7 and in 7.5 again get … … … … . !! ) .

And really one DB folder is necessity ( but IIS default application configuration prevention access to upper folder :( ) (so time consuming for use to give iis User access to one folder ,,,, and so bad when you want to transfer domains or your server ,, woooooooffffff , backup restore not support permeations )

Security hole is more and more some of then we don’t know about it and some of them most be hidden . but we have just hope :) .
 
well ... however i do not declare my self as a programming guru
i have BSc, MSc and PhD in CS , a CISSP cert, and a CCNP cert


we run a hosting company since 1999 and deal with lots of security issues ,

i hope PLESK will consider some of my suggestions , i know that most of the programmers lacks security :) thats because they are programmers not security gurus.

Consider that most plesk admins wont be familiar with manual setups and they wont be able to re-configure the inproper plesk setup, plesk for sure, will get too many complains about this problem.
 
I also have serious (and unresolved) issues with Access databases. Using Plesk 7 on Windows 2003 Standard Edition. MDAC is fully up-to-date.

I have open a ticket with Plesk 6 months ago. After exchange of tens and tens of messages, the problem is still not resolved. The Plesk technicians seem to be completely incompetent in this area. I have escalated this to the highest level at SW-Soft without getting resolution. Once again, this has been going on for 6 months. I am pissed off with their catastrophic support. This should be a very basic thing to resolve though. Everybody supports Access databases in Windows hosting!

Have you solved your own Access database WRITE issues? I am desperate finding the solution.

Thanks in advance.

Gilles
 
Hello GMSoftware;

Sorry but the only solution to make an acces DB writable is to manualy give write permission to the IIS User :)

Well PLESK must handle this problem asap, otherwise problems will arise and arise...
 
Originally posted by GMSoftware
I also have serious (and unresolved) issues with Access databases. Using Plesk 7 on Windows 2003 Standard Edition. MDAC is fully up-to-date.

I have open a ticket with Plesk 6 months ago. After exchange of tens and tens of messages, the problem is still not resolved. The Plesk technicians seem to be completely incompetent in this area. I have escalated this to the highest level at SW-Soft without getting resolution. Once again, this has been going on for 6 months. I am pissed off with their catastrophic support. This should be a very basic thing to resolve though. Everybody supports Access databases in Windows hosting!

Have you solved your own Access database WRITE issues? I am desperate finding the solution.

Thanks in advance.

Gilles
Click to expand...
In Plesk 7.5 I'm granted write and read rights for mdb-file for Plesk IIS WP user and deny write&read rights for Plesk IIS user (to prevent database file access via browser), and all works fine
 
has anything been changed by now?

i am still encountering problems with access db's.

In some webs it works in some not!

??? i really don't understand it. i have the same setting f.e. in 2 "domains" and in one the access db is writeable the other throws a: ... need an updatable querie

Has anybody a 100% solution and guide?

Saludos
Pat

Hope 7.5.4 will have some improvements on this!
 
knocx, and atk+, could you please send me info about the vulnerbilities yuo have found, and how to secure them?

I too call for a directory change and an addition of a db folder.

another security note: plesk is instaled with a open ssl version that is vulnerable to DoS attacks. Has anyone on windows,

1. used stunnel to run SSL over POP3, or other apps ?
2. upgraded stunnel/opeen ssl?
3. knows exactly how it is currently used in plesk ?

your help greatly appreciated!

(currently still on 7.0.3, waiting for 7.5 to be stable enough?? )
 
With regards to the Errors with Access , do you have Custom Error Pages checked as ON in that domain?

Client -> Domain -> Setup -> (roll down to the very end, and see if Custom Error Pages is checked).

Unchecking the Custom Error Pages will show you the errors.

Second,.. as for the MDB permissions, what I do is:

In the IIS, I have changed the Default to allow Parent Paths and direct all my users to place the MDB files in the private directory (same level as httpdocs).

Then, use the File Manager in Plesk and ADD the WRITE permissions to the MDB file.. - The only Addition is providing Anonymous User the WRITE permission.
Don't change anything else.

Once that is done,. the MDB file can read/write and is safely tucked in a non public area, so it cannot be downloaded.

Hope that Helps.

-Alon.
 
You must log in or register to reply here.

Similar threads

I
Issue maria DB update plesk 18.0.50
Replies
10
Views
5K
Maarten
M
michaeljoseph01
Question Imunify360 or fail2ban PLEASE give me your input
Replies
6
Views
4K
The 8th
The 8th
M
Resolved Failed to execute backup database: unknown variable 'bind-address=127.0.0.1'
Replies
2
Views
3K
makenext.srl
M
Ming
Issue Passenger issue - boost::thread_resource_error: Resource temporarily unavailable
Replies
12
Views
5K
Ming
Ming
A
Question my.cnf in /root
Replies
0
Views
2K
AWSolutions
A
Back
Top