Facebook
Twitter
Good idea, but if you have SSO or CBM - this port should be changed in database and maybe somewhere else.
But note that officially we recommend you use our best practice.
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
Security problem with filemng
- Thread starter galaxy
- Start date
Good idea, but if you have SSO or CBM - this port should be changed in database and maybe somewhere else.
But note that officially we recommend you use our best practice.
Some recent vulnerability claims seem to be based on old vulnerabilities that already have been patched –but possibly where Passwords were not completely reset or where Customers changed back to old and vulnerable passwords. We are currently investigating this new reported vulnerability on Plesk 10.4 and earlier. At this time the claims are unsubstantiated and we are unable to confirm this vulnerability and cannot confirm that this vulnerability is limited to any specific operating system.
Read more information in the article http://kb.parallels.com/en/114330
Read more information in the article http://kb.parallels.com/en/114330
M
matmatmat
Guest
The command line to apply the microupdate does not work :
/usr/local/psa/admin/sbin/autoinstaller --select-release-current --reinstall-patch --install-component base
/usr/local/psa/admin/sbin/autoinstaller: unrecognized option `--reinstall-patch'
ERROR: You specified an unknown option.
Not all packages were installed.
What do I have to do ?
Thanks
M
matmatmat
Guest
Thanks for your reply.
My version of Plesk is 8.6. I tried without the "--reinstall-patch" option but when I have checked my server with your script "plesk_remote_vulnerability_checker.php", the output is still "The patch has not been applied".
My version of Plesk is 8.6. I tried without the "--reinstall-patch" option but when I have checked my server with your script "plesk_remote_vulnerability_checker.php", the output is still "The patch has not been applied".
D
DaddyC
Guest
Will renaming /usr/local/psa/admin/bin/filemng help to prevent this from happening atleast until a perfect fix is available ?
M
MihaiV
Guest
Renaming it will cause file manager not work and will break the automated script but this won't actually fix a possible security hole.. Also will have a nice effect of displaying a crash in interface when accessing file manager.
Yes, but the filemanager rename buys time to fix the problem and hopefully Plesk programmers to get off their butts and fix the problem.
We do web programming, and based on what we see in the admin panel logs, it should not be to hard for them to put a check in the CP to see if the filemanager request is coming from the Plesk CP or externally. A normal request from PP does not have the user name and domain id for a start.
I do not know what all the implications would be , but it seems that given what is going on , they should at least investigate the possibility.
That being said, does any one know how to disable file manager in Windows version of Plesk. Renaming or moving /admin/bin/filemng.exe does disable file manager from working.
We do web programming, and based on what we see in the admin panel logs, it should not be to hard for them to put a check in the CP to see if the filemanager request is coming from the Plesk CP or externally. A normal request from PP does not have the user name and domain id for a start.
I do not know what all the implications would be , but it seems that given what is going on , they should at least investigate the possibility.
That being said, does any one know how to disable file manager in Windows version of Plesk. Renaming or moving /admin/bin/filemng.exe does disable file manager from working.
D
Dreiy83
Guest
I have to say; this topic is awfully quiet for a real vulnerability. I'm starting to get convinced it's actually the harvested passwords from Februari.
Looks like it was a new vulnerability after all
via twitter:
Plesk Service Team @PleskService
Plesk Service Team released "Big" Security Update for older Plesk versions. More details in KB article http://kb.parallels.com/en/114379
via twitter:
Plesk Service Team @PleskService
Plesk Service Team released "Big" Security Update for older Plesk versions. More details in KB article http://kb.parallels.com/en/114379
just installed http://kb.parallels.com/en/114379 using the link for custom fix for Linux 8.6 and now trying to access control panel comes up with
The installed looked right:
So what's up?
The installed looked right:
So what's up?
D
Dreiy83
Guest
I'm still waiting for an official e-mail about this, I want to know details. The KB article mentions an internal security audit, but this situation is far from an internal security audit 
any of you guys do the other updates that are part of the latest fix http://kb.parallels.com/en/114379?
How to upgrade Atmail to version 1.05 containing latest security updates on oldest Plesk versions
http://kb.parallels.com/en/114373
phpMyAdmin upgrade for oldest Plesk versions.
http://kb.parallels.com/en/114376
just wondering
How to upgrade Atmail to version 1.05 containing latest security updates on oldest Plesk versions
http://kb.parallels.com/en/114373
phpMyAdmin upgrade for oldest Plesk versions.
http://kb.parallels.com/en/114376
just wondering
Here the updates to 8.6 Linux worked well but we now have problems with our 9.5.5 central eMail-Server (Windows)...
See thread here: http://forum.parallels.com/showpost.php?p=631297&postcount=7
I hope Parallels really gets those security flaws under control...
It is not a good feeling to think that you are sitting on top of a ticking timebomb all the time and somebody has access to all our plesk-based systems...
Best regards,
Chris
See thread here: http://forum.parallels.com/showpost.php?p=631297&postcount=7
I hope Parallels really gets those security flaws under control...
It is not a good feeling to think that you are sitting on top of a ticking timebomb all the time and somebody has access to all our plesk-based systems...
Best regards,
Chris
D
Dreiy83
Guest
I updated our Plesk 9.5 Linux servers (Plesk, Atmail, PHPMyAdmin), everything seems fine.
D
Dreiy83
Guest
The KB article is gone... Some more communication from Parallels would be nice....
C
cipriani
Guest
Check http://kb.parallels.com/en/113321 , it shows "Last Review: Jul, 16 2012", maybe they merge it with the new one
LE: I see http://kb.parallels.com/en/114379 updated aswell, and working now.
LE: I see http://kb.parallels.com/en/114379 updated aswell, and working now.
Last edited by a moderator:
D
Dreiy83
Guest
@IgorG
Can we get some more information on this?
This morning KB-article 114379 had some scripts to do manual updates, they are gone now, it only says we should install MicroUpdates.
And does it have to do anything with this topic?
Can we get some more information on this?
This morning KB-article 114379 had some scripts to do manual updates, they are gone now, it only says we should install MicroUpdates.
And does it have to do anything with this topic?
