• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Security problem when Shared App Pool

Luiz_Gustavo

Luiz_Gustavo

Basic Pleskian
Hello,

I create 2 websites in Plesk Windows for testing, both in the plesk default app pool (shared) and for my big surprise, I can write any files in SITE2 area from SITE1 subscription, using .NET script .:eek:

I do not want to use a Dedicated App Pool for each subscrition to preverse memory. Are there a solution for this "security issue"? o_O


Regards,

Luiz
 
Gustavo_Morgado said:
both in the plesk default app pool (shared) and for my big surprise, I can write any files in SITE2 area from SITE1 subscription, using .NET script .:eek:
Click to expand...
Hmm... why "big surprise"? It is default behaviour of shared pool. Shared means "shared" :) There is the same system user. Moreover - crashing of one application will crash whole pool.
If you need isolation - use dedicated pool.
 
The big surprise because a realize Plesk to not implement security in shared pools. It perfectly possible to prevent this problem creating a unique user for each subscription and configure this user in Anonymous User and Physical Path credentials, and Impersonate the user in ASP.NET. Each subscription directory has NTFS permissions just for the unique user and this procedure permit many sites in shared app pool with no write acess from one site to another.

Well, if plesk do not permit this, I will isolete him in dedicated pool, but this this is a waste of system memory for low budget subscription sites.
 
BTW, dedicated pool is option, recommended by Microsoft.
 
You must log in or register to reply here.

Similar threads

M
Issue Plesk 12.5 - Changing PHP version changes app pool
Replies
1
Views
1K
serverpoint
serverpoint
M
New Browser issue on Plesk 17.8.8 Buttons for App Pool Recycle/Stop/start missing
Replies
1
Views
755
IgorG
IgorG
custer
Important Removing deadweight in Plesk Onyx 17.8
Replies
3
Views
8K
Laurence@
Laurence@
J
Plesk Onyx – Designed for Vultr.com
Replies
0
Views
3K
Joerg Strotmann
J
G
Resolved Plesk 12.0.18 in Debian 7.8 all permissions server-wide set to root:root
Replies
5
Views
3K
gxe
G
Back
Top