1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

SQL Injection Fix - HELP!!

Discussion in 'Plesk for Linux - 8.x and Older' started by wilke, Sep 19, 2007.

  1. wilke

    wilke Guest

    0
     
    So I received this notice yesterday about the SQL Injection vulnerability in Plesk 8.2.0 for Linux.
    http://packetstorm.offensive-security.com/0709-exploits/hackersafe-plesk.txt

    In this document contained a link to sw-soft's webpage which included a "Fix" for the issue. I downloaded and replaced my auth.php3 and now I cannot access plesk at all.
    When I goto the login page I now get this error, "This file is part of Plesk distribution. It cannot be run outside of Plesk environment."

    I looked at the announcements forum to find out swsoft was pushing a completely different patch for this on a different file. I have updated this file now too however I get the same error. Any assistance would be greatly appreciated.

    Does anyone have a copy of auth.php3 for Linux? looks like the initial advisory that I downloaded was for windows boxes only ;(
     
  2. Rico Kerster

    Rico Kerster Guest

    0
     
    Hi wilke

    In the link there's a vulnerability described for Windows not Linux, I think you've posted the wrong security advisory, the link to the patches is for Windows.

    As a suggestion, never let anyone access your plesk login page! Use IPTables to filter the hosts, either IP based (if static) or with parts from your hostmask, but don't let it open to everyone! Not sure maybe you could put a .htaccess basic auth in front of it.. but never leave it unprotected!

    please check again if the advisory applies to linux as well.

    Kind regards
    Rico
     
  3. wilke

    wilke Guest

    0
     
    I just noticed that boy oh boy do I feel stupid! I forgot to make a backup of the auth.php3 file that I overwrote. Can someone share a copy of theirs with me so I don't have to reinstall??? The second advisory does apply to Unix/Linux boxes running Plesk except for version 8.1.1
     
  4. Pagemakers

    Pagemakers Silver Pleskian

    31
    80%
    Joined:
    Dec 19, 2007
    Messages:
    664
    Likes Received:
    7
    I got the same type of email from 1&1 today and it concerns me somewhat...

    1) After calling 1&1 they know nothing of the email.

    2) Why is this vulnerability fixed but a regular Plesk CP update?

    I am concerned that this email was some sort of spam....
     
  5. Rico Kerster

    Rico Kerster Guest

    0
     
    I think to do it clean and not having to worry you're getting a "nice" file.. can't you download it from swsoft.com? Would be the safest way, because asking for such kind of files (important files) and putting them blindly onto your machine shouldn't be your best option.

    If you're using Windows and Plesk upto 8.2 you should apply this patch http://kb.swsoft.com/en/2159

    If you're using Linux I guess you should update to 8.2.. just update every time.. your best way to keep safe. (I don't get what email this was.. sorry just guessing around what it could be)

    Kind regards
    Rico Kerster
     
  6. Pagemakers

    Pagemakers Silver Pleskian

    31
    80%
    Joined:
    Dec 19, 2007
    Messages:
    664
    Likes Received:
    7
    My linux box is up to date but the email (below) suggests that only version 8.1.1 is safe and I am on 8.2.0 I have never received such an email form 1&1 in years. The updates all come from the Plesk CP itself, so why is this any different?




    If you are currently using Plesk on your server, please be advised that you need to perform an important security update.

    As the administrator, you are solely responsible for all the security concerns of your server. This means you are liable in the event of misuse and any resulting damage or costs. The following information is provided to you as a courtesy and 1&1 does not guarantee that the information is correct, nor can 1&1 warrantee or guarantee the Plesk software or any related updates. For details, please see the General Terms and Conditions of Service for your 1&1 hosting package.


    Security Update Notification
    ================================

    A security breach has currently made all versions of Plesk 8 for Linux Server (excluding version 8.1.1) vulnerable to an SQL injection.

    To find out which version of Plesk you are currently using, please go to the login page of your server using Plesk.

    Follow the step-by-step guide below to update your server:

    Step 1: Log in as root to your server using SSH.


    Step 2: Rename the old file /usr/local/psa/admin/plib/class.Session.php on your Plesk for example:

    #cp/usr/local/psa/admin/plib/class.Session.php /usr/local/psa/admin/plib/class.Session.php.old


    Step 3: Select the hotfix for your Plesk version:

    * For Plesk v8.0.0 and v8.0.1:
    http://download1.swsoft.com/Plesk/Hotfix/PleskUnix/8.0.1/114298/class.Session.php

    * For Plesk v8.1.0:
    http://download1.swsoft.com/Plesk/Hotfix/PleskUnix/8.1.0/114298/class.Session.php

    * For Plesk 8.2.0:
    http://download1.swsoft.com/Plesk/Hotfix/PleskUnix/8.2.0/114298/class.Session.php


    Step 4: Put the downloaded file in the appropriate folder, for example # cp ./class.Session.php /usr/local/psa/admin/plib/class.Session.php


    Step 5: Restart Plesk using the command below:
    # /usr/local/psa/admin/bin/httpsdctl restart

    If you have any further questions, please contact our expert support team directly.


    Best regards,
    Your 1&1 Internet Team
    1and1.co.uk
     
  7. Rico Kerster

    Rico Kerster Guest

    0
     
    I'd say apply the patches as described here
    http://kb.swsoft.com/en/2169
    don't replace the old files, copy or rename them so you've got a backup in case something went wrong.

    kind regards
    Rico
     
  8. wilke

    wilke Guest

    0
     
    Found it thanks for all the help :)
     
Loading...