• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Security problem with filemng

Dreiy83 said:
@Blankster:
Edit this file:
/etc/sw-cp-server/applications.d/plesk.conf

And change the port number.
Restart sw-cp-server and it's fixed:

/etc/rc.d/init.d/sw-cp-server restart

I guess this will block the automated attacks for now.
Click to expand...

Good idea, but if you have SSO or CBM - this port should be changed in database and maybe somewhere else.
But note that officially we recommend you use our best practice.
 
Some recent vulnerability claims seem to be based on old vulnerabilities that already have been patched –but possibly where Passwords were not completely reset or where Customers changed back to old and vulnerable passwords. We are currently investigating this new reported vulnerability on Plesk 10.4 and earlier. At this time the claims are unsubstantiated and we are unable to confirm this vulnerability and cannot confirm that this vulnerability is limited to any specific operating system.

Read more information in the article http://kb.parallels.com/en/114330
 
IgorG said:
Generally, you should:

(1) apply fixes <-- http://kb.parallels.com/113321
(2) reset all passwords and make sure your clients don't change the passwords back <-- mail passwords could be skipped
(3) remove sessions records from psa db <-- mysql> delete from sessions;
(4) remove infected files <-- http://forum.parallels.com/showpost.php?p=630228&postcount=24

It should help.
Click to expand...

The command line to apply the microupdate does not work :

/usr/local/psa/admin/sbin/autoinstaller --select-release-current --reinstall-patch --install-component base

/usr/local/psa/admin/sbin/autoinstaller: unrecognized option `--reinstall-patch'
ERROR: You specified an unknown option.
Not all packages were installed.

What do I have to do ?

Thanks
 
This command works fine on Plesk 10.2, 10.4.4 and 11.0.9 at least. What is version of your Plesk? Did you try to find appropriate option with help of --help option?
 
Thanks for your reply.

My version of Plesk is 8.6. I tried without the "--reinstall-patch" option but when I have checked my server with your script "plesk_remote_vulnerability_checker.php", the output is still "The patch has not been applied".
 
Will renaming /usr/local/psa/admin/bin/filemng help to prevent this from happening atleast until a perfect fix is available ?
 
Renaming it will cause file manager not work and will break the automated script but this won't actually fix a possible security hole.. Also will have a nice effect of displaying a crash in interface when accessing file manager.
 
Yes, but the filemanager rename buys time to fix the problem and hopefully Plesk programmers to get off their butts and fix the problem.

We do web programming, and based on what we see in the admin panel logs, it should not be to hard for them to put a check in the CP to see if the filemanager request is coming from the Plesk CP or externally. A normal request from PP does not have the user name and domain id for a start.

I do not know what all the implications would be , but it seems that given what is going on , they should at least investigate the possibility.

That being said, does any one know how to disable file manager in Windows version of Plesk. Renaming or moving /admin/bin/filemng.exe does disable file manager from working.
 
I have to say; this topic is awfully quiet for a real vulnerability. I'm starting to get convinced it's actually the harvested passwords from Februari.
 
just installed http://kb.parallels.com/en/114379 using the link for custom fix for Linux 8.6 and now trying to access control panel comes up with

The file /usr/local/psa/admin/htdocs/index.php is part of Plesk 9 distribution. It cannot be run outside of Plesk 9 environment.
Click to expand...

The installed looked right:
/usr/local/psa/admin/bin/php plesk_remote_vulnerability_fix_deployer.php
Copying "8.6.0/Agent.php" to "/usr/local/psa/admin/plib/api-rpc/Agent.php"
Copying "8.6.0/help.php" to "/usr/local/psa/admin/htdocs/help.php"
Copying "8.6.0/common_func.php3" to "/usr/local/psa/admin/plib/common_func.php3"
Copying "8.6.0/AgentSubDomain.php" to "/usr/local/psa/admin/plib/api-rpc/AgentSubDomain.php"
Restarting Plesk
The patch has been successfully applied.
Click to expand...

So what's up?
 
I'm still waiting for an official e-mail about this, I want to know details. The KB article mentions an internal security audit, but this situation is far from an internal security audit :)
 
@jdarby > Same problem, solved by manually updating files /usr/local/psa/admin/plib/common_func.php3 and /usr/local/psa/admin/plib/api-rpc/AgentSubDomain.php from another plesk 8.6 server (that updated by the autoinstaller), the other 2 files are ok...
 
Here the updates to 8.6 Linux worked well but we now have problems with our 9.5.5 central eMail-Server (Windows)...

See thread here: http://forum.parallels.com/showpost.php?p=631297&postcount=7

I hope Parallels really gets those security flaws under control...
It is not a good feeling to think that you are sitting on top of a ticking timebomb all the time and somebody has access to all our plesk-based systems...

Best regards,

Chris
 
Never Mind - Fixed it by running /usr/local/psa/admin/sbin/autoinstaller --select-release-current --upgrade-installed-components. Auto installed correct versions. All good again.
 
Last edited:
I updated our Plesk 9.5 Linux servers (Plesk, Atmail, PHPMyAdmin), everything seems fine.
 
The KB article is gone... Some more communication from Parallels would be nice....
 
@IgorG
Can we get some more information on this?
This morning KB-article 114379 had some scripts to do manual updates, they are gone now, it only says we should install MicroUpdates.
And does it have to do anything with this topic?
 
You must log in or register to reply here.

Similar threads

A
Resolved Daily cronjob "email-security/scripts/sa-train-bayes.php" fails
Replies
7
Views
677
AvaDev
A
G
Issue Database Malware or False Positive?
Replies
2
Views
2K
Gene Steinberg
G
H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
516
Raul A.
R
K
Question Error message during Plesk Updates “Warning: install PAM module not successed” (PAMConfig.confset.PAMServiceError: system-auth)
Replies
2
Views
2K
johnrdorazio
J
I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
3K
iainh
I
Back
Top