• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

SQL Injection Fix - HELP!!

W

wilke

Guest
So I received this notice yesterday about the SQL Injection vulnerability in Plesk 8.2.0 for Linux.
http://packetstorm.offensive-security.com/0709-exploits/hackersafe-plesk.txt

In this document contained a link to sw-soft's webpage which included a "Fix" for the issue. I downloaded and replaced my auth.php3 and now I cannot access plesk at all.
When I goto the login page I now get this error, "This file is part of Plesk distribution. It cannot be run outside of Plesk environment."

I looked at the announcements forum to find out swsoft was pushing a completely different patch for this on a different file. I have updated this file now too however I get the same error. Any assistance would be greatly appreciated.

Does anyone have a copy of auth.php3 for Linux? looks like the initial advisory that I downloaded was for windows boxes only ;(
 
Hi wilke

In the link there's a vulnerability described for Windows not Linux, I think you've posted the wrong security advisory, the link to the patches is for Windows.

As a suggestion, never let anyone access your plesk login page! Use IPTables to filter the hosts, either IP based (if static) or with parts from your hostmask, but don't let it open to everyone! Not sure maybe you could put a .htaccess basic auth in front of it.. but never leave it unprotected!

please check again if the advisory applies to linux as well.

Kind regards
Rico
 
I just noticed that boy oh boy do I feel stupid! I forgot to make a backup of the auth.php3 file that I overwrote. Can someone share a copy of theirs with me so I don't have to reinstall??? The second advisory does apply to Unix/Linux boxes running Plesk except for version 8.1.1
 
I got the same type of email from 1&1 today and it concerns me somewhat...

1) After calling 1&1 they know nothing of the email.

2) Why is this vulnerability fixed but a regular Plesk CP update?

I am concerned that this email was some sort of spam....
 
Originally posted by wilke
I forgot to make a backup of the auth.php3 file that I overwrote. Can someone share a copy of theirs with me so I don't have to reinstall???
Click to expand...
I think to do it clean and not having to worry you're getting a "nice" file.. can't you download it from swsoft.com? Would be the safest way, because asking for such kind of files (important files) and putting them blindly onto your machine shouldn't be your best option.

Originally posted by Pagemakers

Why is this vulnerability fixed but a regular Plesk CP update?
Click to expand...
If you're using Windows and Plesk upto 8.2 you should apply this patch http://kb.swsoft.com/en/2159

If you're using Linux I guess you should update to 8.2.. just update every time.. your best way to keep safe. (I don't get what email this was.. sorry just guessing around what it could be)

Kind regards
Rico Kerster
 
My linux box is up to date but the email (below) suggests that only version 8.1.1 is safe and I am on 8.2.0 I have never received such an email form 1&1 in years. The updates all come from the Plesk CP itself, so why is this any different?




If you are currently using Plesk on your server, please be advised that you need to perform an important security update.

As the administrator, you are solely responsible for all the security concerns of your server. This means you are liable in the event of misuse and any resulting damage or costs. The following information is provided to you as a courtesy and 1&1 does not guarantee that the information is correct, nor can 1&1 warrantee or guarantee the Plesk software or any related updates. For details, please see the General Terms and Conditions of Service for your 1&1 hosting package.


Security Update Notification
================================

A security breach has currently made all versions of Plesk 8 for Linux Server (excluding version 8.1.1) vulnerable to an SQL injection.

To find out which version of Plesk you are currently using, please go to the login page of your server using Plesk.

Follow the step-by-step guide below to update your server:

Step 1: Log in as root to your server using SSH.


Step 2: Rename the old file /usr/local/psa/admin/plib/class.Session.php on your Plesk for example:

#cp/usr/local/psa/admin/plib/class.Session.php /usr/local/psa/admin/plib/class.Session.php.old


Step 3: Select the hotfix for your Plesk version:

* For Plesk v8.0.0 and v8.0.1:
http://download1.swsoft.com/Plesk/Hotfix/PleskUnix/8.0.1/114298/class.Session.php

* For Plesk v8.1.0:
http://download1.swsoft.com/Plesk/Hotfix/PleskUnix/8.1.0/114298/class.Session.php

* For Plesk 8.2.0:
http://download1.swsoft.com/Plesk/Hotfix/PleskUnix/8.2.0/114298/class.Session.php


Step 4: Put the downloaded file in the appropriate folder, for example # cp ./class.Session.php /usr/local/psa/admin/plib/class.Session.php


Step 5: Restart Plesk using the command below:
# /usr/local/psa/admin/bin/httpsdctl restart

If you have any further questions, please contact our expert support team directly.


Best regards,
Your 1&1 Internet Team
1and1.co.uk
 
You must log in or register to reply here.

Similar threads

T
Issue When restoring a mysql.daily.dump file in plesk, it only recreates the SQL server but without the table data or structure
Replies
2
Views
1K
thomasjenk
T
C
Issue POSSIBLE DEPENDENCY CONFUSION - Security Scan
Replies
1
Views
647
chameleon
C
A
Resolved Can't update automatically
Replies
5
Views
1K
andyjlund
A
Ebrahim A. Senejani
Issue Zend Guard on Compiled PHP - Plesk Obsidian
Replies
4
Views
2K
Ebrahim A. Senejani
Ebrahim A. Senejani
G
Input Advice On How To Fix A Possible cURL Problem Please?
Replies
7
Views
1K
Bitpalast
Bitpalast
Back
Top