• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

BIG security flaw in php under plesk7.5.4

L

larsm

Guest
we have been testing plesk for awhile now
we have bought plesk 7.5.4 and installed all the patches and are running it with
mail enable enterprise
on a win 2003 std.

we then had a user who we gave a account(domain user)
www.Somedomain.xx

he then installed an cms system (php)
called pMachinePro2.4 on his webhotel/webspace

after installation he went into his website (cms backend) as an cms admin an clicked on file manager button and got instant access to the hole drive incl all other domains db's and the psa db with all plesk passes and so forth THIS MY FRIENDS IS A serious security breech how do i solve this !!!! ???

i am quite chocked !!:confused: :confused:
 
temporary solution

it seems that a temp solution is to enable the isapi for php files for that site but still there is a problem isapi just close the gap a little bit

what is needed here is a solution that will work serverside not only for the one and im shure that when we get further down in this there are moore nasty things in the bag that should be corrcted

this one is a serious one
but besdes that all in all i like the panel just needs a big makeover it seems !
 
You must log in or register to reply here.

Similar threads

R
suexec = serious security concerns
Replies
1
Views
6K
RayMorris
R
C
Plesk Feature Requests
3 4 5
Replies
88
Views
50K
aaabyss
A
Back
Top