SQL Injection vulnerability

[105547111]

You would think swsoft would have posted this in here - so I did!


[FIX] SQL Injection vulnerability
Article ID: 2169
Last Review: Sep,13 2007
APPLIES TO:

* Plesk 8.0.x
* Plesk 8.1.x
* Plesk 8.2

SYMPTOMS
SQL injection vulnerability within Plesk for Linux/Unix.
RESOLUTION
Please download the following file:

For Plesk v8.0.0 and v8.0.1 :
http://download1.swsoft.com/Plesk/Hotfix/PleskUnix/8.0.1/114298/class.Session.php

For Plesk v8.1.0 :
http://download1.swsoft.com/Plesk/Hotfix/PleskUnix/8.1.0/114298/class.Session.php

For Plesk 8.2.0 :
http://download1.swsoft.com/Plesk/Hotfix/PleskUnix/8.2.0/114298/class.Session.php

and replace /usr/local/psa/admin/plib/class.Session.php file on Plesk server with the downloaded new one.

Plesk versions 7.5.4 and 8.1.1 are not affected by this vulnerability.

 

[webadmin]

SQL Security Fix

This post is accurate.
http://kb.swsoft.com/en/2159
http://kb.swsoft.com/en/2169

 

[awlane]

Is this fix part of PSA 8.2.1 ?

If I had 8.2.0 and did not apply this hotfix, will upgrading to 8.2.1 include this hotfix or do I still have to manually replace the affected file ?

 

[redpaint]

I just applied this and now can't log into Plesk Admin panel. Anyone know why this might happen? Just get a blank screen.

 

[awlane]

Originally posted by redpaint
I just applied this and now can't log into Plesk Admin panel. Anyone know why this might happen? Just get a blank screen.

What version of PSA are you running ? Which file did you download and replace ? What is it's MD5SUM ? Did you set group ownership of the file and restart httpd as per the KB entry ?

 

[redpaint]

Hi,

Speedy response.

Ok, I followed the instructions exactly as on http://kb.swsoft.com/en/2169 and checksum seems fine. OS is FreeBSD and Plesk 8.2.

 

[redpaint]

md5 checksums
downloaded class.Session.php:
5b7a8071374aa94b83697aec72d1d556

expected value from http://kb.swsoft.com/en/2169:
5b7a8071374aa94b83697aec72d1d556

I've also tried rebooting to no avail.

 

[awlane]

Originally posted by redpaint
Hi,

Speedy response.

Ok, I followed the instructions exactly as on http://kb.swsoft.com/en/2169 and checksum seems fine. OS is FreeBSD and Plesk 8.2.

That is strange indeed.

When you performed these two steps from the KB article, did you get any errors ?

chgrp psaadm /usr/local/psa/admin/plib/class.Session.php

/usr/local/psa/admin/bin/httpsdctl restart

Does the PSA httpd error log show any activity when you try to log into PSA now ?

I am a RedHat guy with zero BSD exposure so perhaps my troubleshooting path doesn't make much sense on a BSD box, but I am assuming its very similar.

 

[redpaint]

Hi,

Thanks for the response. This is the activity I have for this afternoon:

[Thu Sep 27 16:30:46 2007] [error] [client 217.44.103.206] File does not exist: /usr/local/www/vhosts/default/htdocs/favicon.ico
[Thu Sep 27 16:30:46 2007] [error] [client 217.44.103.206] File does not exist: /usr/local/www/vhosts/default/htdocs/img/glyph, referer: 
[Thu Sep 27 16:31:19 2007] [error] [client 85.189.2.153] File does not exist: /usr/local/psa/psa-horde/favicon.ico
[Thu Sep 27 16:43:26 2007] [notice] caught SIGTERM, shutting down
[Thu Sep 27 16:45:20 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/local/sbin/suexec)
[Thu Sep 27 16:45:21 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Thu Sep 27 16:45:21 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Thu Sep 27 16:45:21 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Thu Sep 27 16:45:21 2007] [warn] module suexec_module is already loaded, skipping
[Thu Sep 27 16:45:21 2007] [warn] module logio_module is already loaded, skipping
[Thu Sep 27 16:45:21 2007] [notice] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Thu Sep 27 16:45:21 2007] [notice] mod_python: using mutex_directory /tmp
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20060613/sitebuilder3.so' - Cannot open "/usr/local/lib/php/20060613/siteb
[Thu Sep 27 16:45:24 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Thu Sep 27 16:45:24 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Thu Sep 27 16:45:24 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Thu Sep 27 16:45:24 2007] [notice] Apache/2.0.59 (FreeBSD) mod_python/3.3.1 Python/2.4.4 PHP/5.2.4 with Suhosin-Patch mod_ssl/2.0.59 OpenSSL/0.9.7e-p1 mod_p
[Thu Sep 27 16:45:44 2007] [error] [client 85.189.2.153] File does not exist: /usr/local/psa/psa-horde/favicon.ico

 

[redpaint]

Could this have something to do with the certificate name? Looks like it's not displaying correctly and I'm not sure where that's defined. Any ideas?

 

[awlane]

This entry in your log:

[Thu Sep 27 16:45:21 2007] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?

Won't be the issue. I have seen that on most of my PSA servers. It seems to refer to the self-signed cert you see when you access PSA. The cert is issued for CN "plesk" wheres your actual URL to PSA will be some sort of FQDN, not "plesk". You will see that you had that log entry in your log long before you tried to apply this hotfix.

 

[redpaint]

Hi All,

I submitted the problem to SWSoft and the problem was with permissions on the file. After changing them to 644 the problem disappeared. Hope this helps others and I've asked them to update the knowledgebase.

Thanks for your help awlane.

 

[thewolf]

Hi,

Is there any mailing to subscribe to in order to get this kind of security notifications?

Thanks.

 

[knocx]

can anyone post md5sum for class.session.php on a 8.2.1 system what we observer is sums do not match

 

[breun]

I don't believe the files in the KB article and from the 8.2.1 packages will have the same checksums. If your OS is using a package manager (rpm/dpkg) you can use that to verify your files. On an RPM-based distro you'd run rpm -V psa to verify the files in the psa package (class.Session.php is installed from the psa package).

 

[Filipe Miranda]

Hello,

I'm using Plesk for Linux 8.2.1 does it already include the patch or will I have to follow the same procedure described above?

Thank You,

Regards,
Filipe Miranda

 

[tiramisu]

in kb says:

SWsoft Plesk versions 7.5.4, 8.1.1, 8.2.1 and later are not affected by this vulnerability.

so 8.2.1 is fine