• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Web Server Cross Site Scripting

Martin73

Martin73

Basic Pleskian
I am scanning my server regularly with the service ScanMyServer from Beyond Security. Recently I have got following result:
The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability.
The vulnerability is caused when the result returned to the user when a non-existing file is requested contains the original URL (e.g. the result contains the JavaScript provided in the request).
The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).
Click to expand...
Code: 
Sample URL: https://www.mydomain.com:443/index.php?param=">alert(document.cookie)< /script>.php
Sample Request:
===
GET /index.php?param=">alert(document.cookie)</script>.php HTTP/1.1
Connection: Close
Host: www.mydomain.com
Pragma: no-cache
User-Agent: Mozilla/5.0 (X11
U
Linux i686
en-US
rv:1.7.8)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

How can I change the setting to protect the server?

My virtual server:
Ubuntu 16.04.4 LTS‬
Plesk Onyx 17.8.11
 
The underlying cause of this is not so much related to your server but rather that your index.php script or your application is not sanitizing inputs.

Inputs passed to sites or pages may be legitimate or nefarious in nature so while there are tools that run at the server or CDN level to scan for and block those requests, you would be better off fixing the script itself since the PHP script is what is enabling anyone to pass scripts that directly rendered on the page.

The takeaway here is that it's not a Plesk or OS issue.
 
You're right. I have adapted the htaccess file and will wait for the result of the next security scan.
 
You must log in or register to reply here.

Similar threads

bradz
Issue Pleask/Linux Server Goes Down & Restarts a Few Times Weekly on Sunday Morning
Replies
8
Views
3K
mow
M
S
Question Icons not loading after AWS CDN enabled for WordPress website
Replies
1
Views
3K
afuego
afuego
A
Issue My websites are crossing paths in either NGINX or DNS
Replies
0
Views
2K
andylehti
A
Azurel
Issue ModSecurity: Issue with Comodo rules set?
Replies
1
Views
3K
Azurel
Azurel
TimReeves
Forwarded to devs Nginx-only php location does not work for WordPress permalinks
Replies
11
Views
6K
Hockeychap
H
Back
Top