Server Plesk 9.2 Hacked

[Nguyen Thang Long]

I am testing plesk 9.2 on Windows server 2003.
I tried hack this server by webshell (aspx & asp)
Example:
When i ran :
<%@ Language=VBScript %>
<%
On Error Resume Next
Dim oScript
Dim gURL
gURL = Request.ServerVariables("APPL_PHYSICAL_PATH")
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Call oScript.Run ("c:\\WINDOWS\\system32\\cmd.exe",1,True)
%>
Then task manager of server running file cmd.exe by users is : IWAM_Plesk(Default)
Or when i used webshell (http://www.guru.net.vn/kshell_1.2.zip) , i can hacked website of other users in this server.
I used plesk tools maked sure permission of server , but it is not fix that problems.

I can't fix , who can secure , and fix that error ? Help me ?

Thanks so much !

 

[IgorG]

I have reported this problem to developers with high priority. I will update this thread with results as soon as I receive it.

 

[Nguyen Thang Long]

Thanks to IgorG

 

[deepa]

is this a security bug in plelsk 9.2?

 

[IgorG]

Problem still under developer's investigation. I will update thread as soon as I receive any useful information.

 

[IgorG]

This issue caused because of by default all users application works inside single AppPool. So they probably has access to each other contents.

This issue can be resolved, if you set <domain> -> Web Hosting Settings -> 'Use dedicated pool' on every domain (you can use mass domains operations either). And additionally you can set Home -> IIS Application Pool -> Global Settings -> Always place all domains in the shared application pool option. It will run each site in separated pool, and their applications couldn't read each other.