• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Forwarded to devs <domain>/server-status is accessible when frame forwarding configured

L

lukas-degan

Basic Pleskian
Username: lukas-degan

TITLE

<domain>/server-status is accessible when frame forwarding configured

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian, Version 18.0.31 Update Nr. 2, Debian 10 64 Bit

PROBLEM DESCRIPTION

If hosting type of a domain is set to "frame forwarding", the apache status page under "https://<domain>/server-status" is public accessible. If its set for example to "permanent moved" it is not accessible.
And all this without any special manual configuration.

STEPS TO REPRODUCE

Set hosting type to "frame forwarding" and access the URL under: https://<domain>/server-status

ACTUAL RESULT

The Apache status page with many private information are accessible for everyone.

EXPECTED RESULT

The status page is not accessible without any explicit configuration.

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
From developer:

Plesk does not manage any server-status pages. I was able only to find KB about the manual configuration of this module to add such page for all domains (How to enable the Apache server statistics on a Plesk server). So it's not a Plesk related issue, but admin should check - does really server-status page is accessible for everyone and if so, add some kind of IP access restriction.
 
IgorG said:
From developer:

Plesk does not manage any server-status pages. I was able only to find KB about the manual configuration of this module to add such page for all domains (How to enable the Apache server statistics on a Plesk server). So it's not a Plesk related issue, but admin should check - does really server-status page is accessible for everyone and if so, add some kind of IP access restriction.
Click to expand...
Hi Igor,

thx for your reply. Can i only configure this for all domains or also for specific?
I checked "/etc/apache2/mods-enabled/status.conf" and there are no manual configruations. Its the default config.

If i try to acces a domain without any redirections i get "403 Forbidden" on the "server-status" page.
I will try to set the ip restriction and give you reply soon.
 
I see it as a problem, too. If I set up a hosted website, /server-status is not accessible. But if it is a frame forwarding, than it is accessible. It should behave the same way or maybe there should be an option to enable / disable it, for security reasons.
 
you can protect the server status with a password request.
Example (/etc/httpd/conf/httpd.conf):

<Location / server-status>
SetHandler server-status
Order deny, allow
Deny from all
Allow from 127.0.0.1
AuthUserFile /var/www/.htpasswd
AuthName server status
AuthType Basic
Require valid-user
</Location>

## service httpd reload
 
I found that the requests all come frome localhost. The Problem is caused by reverse proxy if requests come from localhost.
To block all requests the config must be like (/etc/apache2/mods-enabled/status.conf):
Code: 
<Location /server-status>
                SetHandler server-status
                Require all denied
        </Location>

I dont know if it is a Plesk specific problem, but it schould investigated, because its a big safety risk.
 
You must log in or register to reply here.

Similar threads

K
Forwarded to devs Error notification missing for forwarding domain back to itself
Replies
2
Views
625
Sebahat.hadzhi
Sebahat.hadzhi
J
Resolved DOMAIN ALIAS - Emails not being forwarded
Replies
1
Views
901
Sebahat.hadzhi
Sebahat.hadzhi
M
Resolved Missing HTTP_HOST causes incorrect URL generation in WP Toolkit
Replies
12
Views
2K
Maarten
M
T
Issue Forwarded domain can't be secured
Replies
3
Views
968
TomBoB
T
majdi draouil
Question Need Help Configuring Plesk Web Access on Server with Custom Ports - IP Accidentally Pointed to Domain
Replies
3
Views
518
majdi draouil
majdi draouil
Back
Top