1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

SQL Injection vulnerability

Discussion in 'Plesk for Linux - 8.x and Older' started by 105547111, Sep 14, 2007.

  1. 105547111

    105547111 Silver Pleskian

    32
    30%
    Joined:
    Jul 13, 2006
    Messages:
    643
    Likes Received:
    2
    You would think swsoft would have posted this in here - so I did!


    [FIX] SQL Injection vulnerability
    Article ID: 2169
    Last Review: Sep,13 2007
    APPLIES TO:

    * Plesk 8.0.x
    * Plesk 8.1.x
    * Plesk 8.2

    SYMPTOMS
    SQL injection vulnerability within Plesk for Linux/Unix.
    RESOLUTION
    Please download the following file:

    For Plesk v8.0.0 and v8.0.1 :
    http://download1.swsoft.com/Plesk/Hotfix/PleskUnix/8.0.1/114298/class.Session.php

    For Plesk v8.1.0 :
    http://download1.swsoft.com/Plesk/Hotfix/PleskUnix/8.1.0/114298/class.Session.php

    For Plesk 8.2.0 :
    http://download1.swsoft.com/Plesk/Hotfix/PleskUnix/8.2.0/114298/class.Session.php

    and replace /usr/local/psa/admin/plib/class.Session.php file on Plesk server with the downloaded new one.

    Plesk versions 7.5.4 and 8.1.1 are not affected by this vulnerability.
     
  2. webadmin

    webadmin Guest

    0
     
  3. awlane

    awlane Guest

    0
     
    Is this fix part of PSA 8.2.1 ?

    If I had 8.2.0 and did not apply this hotfix, will upgrading to 8.2.1 include this hotfix or do I still have to manually replace the affected file ?
     
  4. redpaint

    redpaint Guest

    0
     
    I just applied this and now can't log into Plesk Admin panel. Anyone know why this might happen? Just get a blank screen.
     
  5. awlane

    awlane Guest

    0
     
    What version of PSA are you running ? Which file did you download and replace ? What is it's MD5SUM ? Did you set group ownership of the file and restart httpd as per the KB entry ?
     
  6. redpaint

    redpaint Guest

    0
     
    Hi,

    Speedy response.

    Ok, I followed the instructions exactly as on http://kb.swsoft.com/en/2169 and checksum seems fine. OS is FreeBSD and Plesk 8.2.
     
  7. redpaint

    redpaint Guest

    0
     
    md5 checksums
    downloaded class.Session.php:
    5b7a8071374aa94b83697aec72d1d556

    expected value from http://kb.swsoft.com/en/2169:
    5b7a8071374aa94b83697aec72d1d556

    I've also tried rebooting to no avail.
     
  8. awlane

    awlane Guest

    0
     
    That is strange indeed.

    When you performed these two steps from the KB article, did you get any errors ?

    chgrp psaadm /usr/local/psa/admin/plib/class.Session.php

    /usr/local/psa/admin/bin/httpsdctl restart

    Does the PSA httpd error log show any activity when you try to log into PSA now ?

    I am a RedHat guy with zero BSD exposure so perhaps my troubleshooting path doesn't make much sense on a BSD box, but I am assuming its very similar.
     
  9. redpaint

    redpaint Guest

    0
     
    Hi,

    Thanks for the response. This is the activity I have for this afternoon:

    Code:
    [Thu Sep 27 16:30:46 2007] [error] [client 217.44.103.206] File does not exist: /usr/local/www/vhosts/default/htdocs/favicon.ico
    [Thu Sep 27 16:30:46 2007] [error] [client 217.44.103.206] File does not exist: /usr/local/www/vhosts/default/htdocs/img/glyph, referer: 
    [Thu Sep 27 16:31:19 2007] [error] [client 85.189.2.153] File does not exist: /usr/local/psa/psa-horde/favicon.ico
    [Thu Sep 27 16:43:26 2007] [notice] caught SIGTERM, shutting down
    [Thu Sep 27 16:45:20 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/local/sbin/suexec)
    [Thu Sep 27 16:45:21 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Thu Sep 27 16:45:21 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Thu Sep 27 16:45:21 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Thu Sep 27 16:45:21 2007] [warn] module suexec_module is already loaded, skipping
    [Thu Sep 27 16:45:21 2007] [warn] module logio_module is already loaded, skipping
    [Thu Sep 27 16:45:21 2007] [notice] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
    [Thu Sep 27 16:45:21 2007] [notice] mod_python: using mutex_directory /tmp
    PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20060613/sitebuilder3.so' - Cannot open "/usr/local/lib/php/20060613/siteb
    [Thu Sep 27 16:45:24 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Thu Sep 27 16:45:24 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Thu Sep 27 16:45:24 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Thu Sep 27 16:45:24 2007] [notice] Apache/2.0.59 (FreeBSD) mod_python/3.3.1 Python/2.4.4 PHP/5.2.4 with Suhosin-Patch mod_ssl/2.0.59 OpenSSL/0.9.7e-p1 mod_p
    [Thu Sep 27 16:45:44 2007] [error] [client 85.189.2.153] File does not exist: /usr/local/psa/psa-horde/favicon.ico
    
     
  10. redpaint

    redpaint Guest

    0
     
    Could this have something to do with the certificate name? Looks like it's not displaying correctly and I'm not sure where that's defined. Any ideas?
     
  11. awlane

    awlane Guest

    0
     
    This entry in your log:

    [Thu Sep 27 16:45:21 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?

    Won't be the issue. I have seen that on most of my PSA servers. It seems to refer to the self-signed cert you see when you access PSA. The cert is issued for CN "plesk" wheres your actual URL to PSA will be some sort of FQDN, not "plesk". You will see that you had that log entry in your log long before you tried to apply this hotfix.
     
  12. redpaint

    redpaint Guest

    0
     
    Hi All,

    I submitted the problem to SWSoft and the problem was with permissions on the file. After changing them to 644 the problem disappeared. Hope this helps others and I've asked them to update the knowledgebase.

    Thanks for your help awlane.
     
  13. thewolf

    thewolf Regular Pleskian

    25
    57%
    Joined:
    Mar 11, 2004
    Messages:
    231
    Likes Received:
    0
    Hi,

    Is there any mailing to subscribe to in order to get this kind of security notifications?

    Thanks.
     
  14. knocx

    knocx Guest

    0
     
    can anyone post md5sum for class.session.php on a 8.2.1 system what we observer is sums do not match
     
  15. breun

    breun Golden Pleskian

    29
     
    Joined:
    Jun 28, 2005
    Messages:
    1,647
    Likes Received:
    0
    I don't believe the files in the KB article and from the 8.2.1 packages will have the same checksums. If your OS is using a package manager (rpm/dpkg) you can use that to verify your files. On an RPM-based distro you'd run rpm -V psa to verify the files in the psa package (class.Session.php is installed from the psa package).
     
  16. Filipe Miranda

    Filipe Miranda Guest

    0
     
    Hello,

    I'm using Plesk for Linux 8.2.1 does it already include the patch or will I have to follow the same procedure described above?

    Thank You,

    Regards,
    Filipe Miranda
     
  17. tiramisu

    tiramisu Guest

    0
     
    in kb says:

    SWsoft Plesk versions 7.5.4, 8.1.1, 8.2.1 and later are not affected by this vulnerability.

    so 8.2.1 is fine
     
Loading...