• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Server Plesk 9.2 Hacked

N

Nguyen Thang Long

Guest
I am testing plesk 9.2 on Windows server 2003.
I tried hack this server by webshell (aspx & asp)
Example:
When i ran :
<%@ Language=VBScript %>
<%
On Error Resume Next
Dim oScript
Dim gURL
gURL = Request.ServerVariables("APPL_PHYSICAL_PATH")
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Call oScript.Run ("c:\\WINDOWS\\system32\\cmd.exe",1,True)
%>

Then task manager of server running file cmd.exe by users is : IWAM_Plesk(Default)
Or when i used webshell (http://www.guru.net.vn/kshell_1.2.zip) , i can hacked website of other users in this server.
I used plesk tools maked sure permission of server , but it is not fix that problems.

I can't fix , who can secure , and fix that error ? Help me ?

Thanks so much !
 
I have reported this problem to developers with high priority. I will update this thread with results as soon as I receive it.
 
Problem still under developer's investigation. I will update thread as soon as I receive any useful information.
 
This issue caused because of by default all users application works inside single AppPool. So they probably has access to each other contents.

This issue can be resolved, if you set <domain> -> Web Hosting Settings -> 'Use dedicated pool' on every domain (you can use mass domains operations either). And additionally you can set Home -> IIS Application Pool -> Global Settings -> Always place all domains in the shared application pool option. It will run each site in separated pool, and their applications couldn't read each other.
 
Back
Top