• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

hacking with php shell

C

Christian Roehl

Guest
I have not found any thread or comment to that point. Do you made exeriences with php shell (http://phpshell.sourceforge.net/) already? Once php shell is installed on your plesk server you are able to execute shell commands, *delete files* or have control about all files/folder of other customers.

All you need is an existing account on your plesk server and users which disabled safe mode in order to install apps like joomla or wordpress.
 
i will provide access, but not official on that forum. Are you able to contact me directly?
 
Guys,

Could you please post results of your investigation with all necessary details how it can be reproduced?
 
i can not reproduce it on our servers ...

open_basedir prevent the access to other costumers ...
 
if you want I will prepare a test machine for you, potentially thats easier. Please keep me informed.
 
@danliker: lenny is running fine. So i should limit the issue to CentOS 5.4. PHP 5.1.6
 
Last edited by a moderator:
ok, i think i have found the bug ...

if you use fcgi the open_basdir and other php values are not set in http.include file ...
 
If you have found bug, please describe it with details and instruction how it can be reproduced. I will submit bugreport to developers in this case.
 
it is a php script, just download, unpack and upload it with ftp to an account with fcgi enabled and safe mode disabled ...
 
Use any user account on your plesk server (please use centos, debian is running fine). upload the files e.g. in your httpdocs folder. Configure the config.php with user, password. If there is any need I can prepare a server for limited time.
 
Ok. Thank you for information and cooperation.
I have submitted corresponding request to developers.
 
You must log in or register to reply here.

Similar threads

P
Question Drupal CMS 1.0 with Plesk: Composer PATH issue for automatic updates
Replies
7
Views
1K
horvan
H
weareimpulse
Resolved AbuseIPDB - spurious network activity from our server to third-party networks
Replies
3
Views
726
weareimpulse
weareimpulse
H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
563
Raul A.
R
T
Issue mysqldump: Got error: 1932: "Table 'psa.WebsitesDiagnostic' doesn't exist in engine" when using LOCK TABLES
Replies
6
Views
664
TrevorM
T
P
Issue Server update fail
Replies
1
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top