• The APS Catalog has been deprecated and removed from all Plesk Obsidian versions.
    Applications already installed from the APS Catalog will continue working. However, Plesk will no longer provide support for APS applications.
  • Please be aware: with the Plesk Obsidian 18.0.78 release, the support for the ngx_pagespeed.so module will be deprecated and removed from the sw-nginx package.

test.php.jpg should not execute PHP but does!

G

grumpydev

New Pleskian
Can someone please explain to me WHY this would execute on a PLESK configured domain?! This seems like a massive security issue.
 
if you have not customize domain's virtual hosting templates, you can perform following workaround:

mkdir -p /usr/local/psa/admin/conf/templates/custom/service

cp /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/

than create files with following content:

cat /usr/local/psa/admin/conf/templates/custom/service/php.php
<IfModule <?php echo $VAR->server->webserver->apache->php4ModuleName ?>>
<Files ~ (\.php$)>
<?php
if ($OPT['enabled']) {
echo "php_admin_flag engine on\n";

if (isset($OPT['settings'])) {
echo $OPT['settings'];
}

} else {
echo "php_admin_flag engine off\n";
}
?>
</Files>
</IfModule>

<IfModule mod_php5.c>
<Files ~ (\.php$)>
<?php
if (array_key_exists('enabled', $OPT) && $OPT['enabled']) {
echo "php_admin_flag engine on\n";

if (isset($OPT['settings'])) {
echo $OPT['settings'];
}

} else {
echo "php_admin_flag engine off\n";
}
?>
</Files>
</IfModule>

cat /usr/local/psa/admin/conf/templates/custom/service/php_over_cgi.php
<Files ~ (\.php$)>
SetHandler None
AddHandler php-script .php
Options +ExecCGI
allow from all
</Files>

cat /usr/local/psa/admin/conf/templates/custom/service/php_over_fastcgi.php
<IfModule mod_fcgid.c>
<Files ~ (\.php$)>
SetHandler fcgid-script
FCGIWrapper <?php echo $VAR->server->webserver->apache->phpCgiBin ?> .php
Options +ExecCGI
allow from all
</Files>
</IfModule>
 
Anyway if you allow in your web application upload of files you have to check mime-type of uploading files and disable execution for special folders like /image for example.
 
Thanks for the quick response to this. Do these changes take effect immediately after a restart? How do I make sure these changes get applied?

Thanks again!
 
After creating files you have to update domain's hosting configuration, for example change PHP handler or switch on/off Perl support and save changes.
 
OlegN said:
Anyway if you allow in your web application upload of files you have to check mime-type of uploading files and disable execution for special folders like /image for example.
Click to expand...

I strongly agree with this statement. Unfortunately, we do not perform code reviews of all sites that are hosted by us, thus having this functionality by default seems really scary.

Thanks again!
 
You must log in or register to reply here.

Similar threads

K
WordPress Breakdance plugin <= 1.7.2 - Authenticated Remote Code Execution (RCE) vulnerability
Replies
4
Views
2K
KNEET
K
J
Issue Error installing ClamAV in Plesk Email Security on AlmaLinux 10
Replies
7
Views
790
Sebahat.hadzhi
Sebahat.hadzhi
F
Issue Unauthorized Extension Installations — Request for Clarification
Replies
1
Views
536
Sebahat.hadzhi
Sebahat.hadzhi
T
Issue Unable to install extension for PHP
Replies
14
Views
2K
trialotto
T
Azurel
Question MariaDB 11.8 "Upgrade Now"-Button
Replies
8
Views
3K
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top