• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Security problem with filemng

@Blankster:
Edit this file:
/etc/sw-cp-server/applications.d/plesk.conf

And change the port number.
Restart sw-cp-server and it's fixed:

/etc/rc.d/init.d/sw-cp-server restart

I guess this will block the automated attacks for now.

Good idea, but if you have SSO or CBM - this port should be changed in database and maybe somewhere else.
But note that officially we recommend you use our best practice.
 
Some recent vulnerability claims seem to be based on old vulnerabilities that already have been patched –but possibly where Passwords were not completely reset or where Customers changed back to old and vulnerable passwords. We are currently investigating this new reported vulnerability on Plesk 10.4 and earlier. At this time the claims are unsubstantiated and we are unable to confirm this vulnerability and cannot confirm that this vulnerability is limited to any specific operating system.

Read more information in the article http://kb.parallels.com/en/114330
 
Generally, you should:

(1) apply fixes <-- http://kb.parallels.com/113321
(2) reset all passwords and make sure your clients don't change the passwords back <-- mail passwords could be skipped
(3) remove sessions records from psa db <-- mysql> delete from sessions;
(4) remove infected files <-- http://forum.parallels.com/showpost.php?p=630228&postcount=24

It should help.

The command line to apply the microupdate does not work :

/usr/local/psa/admin/sbin/autoinstaller --select-release-current --reinstall-patch --install-component base

/usr/local/psa/admin/sbin/autoinstaller: unrecognized option `--reinstall-patch'
ERROR: You specified an unknown option.
Not all packages were installed.

What do I have to do ?

Thanks
 
This command works fine on Plesk 10.2, 10.4.4 and 11.0.9 at least. What is version of your Plesk? Did you try to find appropriate option with help of --help option?
 
Thanks for your reply.

My version of Plesk is 8.6. I tried without the "--reinstall-patch" option but when I have checked my server with your script "plesk_remote_vulnerability_checker.php", the output is still "The patch has not been applied".
 
Will renaming /usr/local/psa/admin/bin/filemng help to prevent this from happening atleast until a perfect fix is available ?
 
Renaming it will cause file manager not work and will break the automated script but this won't actually fix a possible security hole.. Also will have a nice effect of displaying a crash in interface when accessing file manager.
 
Yes, but the filemanager rename buys time to fix the problem and hopefully Plesk programmers to get off their butts and fix the problem.

We do web programming, and based on what we see in the admin panel logs, it should not be to hard for them to put a check in the CP to see if the filemanager request is coming from the Plesk CP or externally. A normal request from PP does not have the user name and domain id for a start.

I do not know what all the implications would be , but it seems that given what is going on , they should at least investigate the possibility.

That being said, does any one know how to disable file manager in Windows version of Plesk. Renaming or moving /admin/bin/filemng.exe does disable file manager from working.
 
I have to say; this topic is awfully quiet for a real vulnerability. I'm starting to get convinced it's actually the harvested passwords from Februari.
 
just installed http://kb.parallels.com/en/114379 using the link for custom fix for Linux 8.6 and now trying to access control panel comes up with

The file /usr/local/psa/admin/htdocs/index.php is part of Plesk 9 distribution. It cannot be run outside of Plesk 9 environment.

The installed looked right:
/usr/local/psa/admin/bin/php plesk_remote_vulnerability_fix_deployer.php
Copying "8.6.0/Agent.php" to "/usr/local/psa/admin/plib/api-rpc/Agent.php"
Copying "8.6.0/help.php" to "/usr/local/psa/admin/htdocs/help.php"
Copying "8.6.0/common_func.php3" to "/usr/local/psa/admin/plib/common_func.php3"
Copying "8.6.0/AgentSubDomain.php" to "/usr/local/psa/admin/plib/api-rpc/AgentSubDomain.php"
Restarting Plesk
The patch has been successfully applied.

So what's up?
 
I'm still waiting for an official e-mail about this, I want to know details. The KB article mentions an internal security audit, but this situation is far from an internal security audit :)
 
@jdarby > Same problem, solved by manually updating files /usr/local/psa/admin/plib/common_func.php3 and /usr/local/psa/admin/plib/api-rpc/AgentSubDomain.php from another plesk 8.6 server (that updated by the autoinstaller), the other 2 files are ok...
 
Here the updates to 8.6 Linux worked well but we now have problems with our 9.5.5 central eMail-Server (Windows)...

See thread here: http://forum.parallels.com/showpost.php?p=631297&postcount=7

I hope Parallels really gets those security flaws under control...
It is not a good feeling to think that you are sitting on top of a ticking timebomb all the time and somebody has access to all our plesk-based systems...

Best regards,

Chris
 
Never Mind - Fixed it by running /usr/local/psa/admin/sbin/autoinstaller --select-release-current --upgrade-installed-components. Auto installed correct versions. All good again.
 
Last edited:
I updated our Plesk 9.5 Linux servers (Plesk, Atmail, PHPMyAdmin), everything seems fine.
 
The KB article is gone... Some more communication from Parallels would be nice....
 
@IgorG
Can we get some more information on this?
This morning KB-article 114379 had some scripts to do manual updates, they are gone now, it only says we should install MicroUpdates.
And does it have to do anything with this topic?
 
Back
Top