I had same problem. Problem comes with Plesks wrong user permissions. Plesk defined users with wrong permissions listed below :
psacln
psaadm
psaserv
psacln one of most important. This user makes attacker to comprimise server and download databases!!!
FSO "File System Object" is most known method for lamers. With FSO anyone can access domains hosted on server. Attacker can upload files on any domain etc.! Can takeover whole server too. FSO is normaly code tool for web developers but if user permissions is wrong on server then FSO is very dangerous. Removing FSO is easy but of course customers will not be happy with it because some functions will not work on server with ASP.
On command prompt or "Run" box do this :
regsvr32 -u scrrun.dll
then press enter.
Don't worry about FSO will no longer work. If you want to reload FSO do :
regsvr32 scrrun.dll
then FSO will be reloaded on server but remember security issue.
Somebody also recommends :
regsvr32 -u wshom.ocx
And never give "Everyone" permission on any folder!.
If you need to give write permissions for databases then right click "httpdocs" folder and click "modify" "Plesk IIS USR...." and click "Advanced" click "replace........." box, click "OK", "Yes" then "OK" again.
Better way apply that permission only on folder where .mdb databases located at or where write permissions needed.
Much better way is, apply that "IIS USR.." on domain "private" folder and give "modify" permissions and let know customer to upload his databases to private folder. Because any visitor may download .mdb database from "httpdocs" folder by explorer as its a web publish folder.
NOT : "virtual path" can not used within "private" folder, so "pyschal path" should used. "c:\inetpub\vhosts\domain\private" also code should points that is pyschal folder, no virtual.
Now lets talk about that fix security problem?
NOT realy!. Because wrong user permissions still there but as i told before FSO is most known method for attackers. Attacker still can comprimise system using another methods until plesk don't fix wrong permissions. For example; If you deny permissions for "psacln" user then some serious plesk functions will not work, mysql will not work. But that user makes server available to get hacked at anytime. Because this user also gives all domain users to access server system folders.
As you see real problem is not FSO but user permissions. If user permissions get fixed then FSO not dangerous.
Other hand this is serious Microsoft Windows's security problems. Because normaly not matter what permission you give that FSO is an ASP tool so users should not be able to access system directories and domains not belong to itself , of course that my opinion. Anyway, Microsoft won't ansver to this question if you asks them they says they don't give support for IIS, blah!
Plesk should check permission architecture and let us know how to fix it or publish a patch since its not easy for us to fix it.
PS : Do not anything with permissions if you don't know what you are doing!
Any help should be appreciated.
Facebook
Twitter
