• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue Shell file can access C:\

T

testttt

Basic Pleskian
Hi,
I have Plesk Obsidian 18.0.34 on Windows Server 2019.
I found a shell file (.aspx shell) on a web site.
I moved it to another web site and looked it to see its functions and access limits. But I am shocked when I see results. I can access root folder (C:\) of disk and can access many places. Some directories couldn't be accessed (C:\Inetpub)
But I can access many directories.

How this file can access to folders beyond the web site httpdocs folders? Is it normal ? If not, how can I fix this security vulnerability?

1620069782840.png
 
So, you're now discovering an issue with all script languages that can access a file system. This happens with python, cgi, PHP, basically any language, PHP has open_basedir built-in to prevent this. I'm not familiar with ASPX, but they might have something too. Otherwise, you'll need some form of synthetic rooting if you want to restrict the script to a certain number of directories.

In theory, there is nothing truly "insecure" about a user that's able to enumerate all the files. Files that shouldn't be read will have the proper permissions that prevent such. In practice, this is a horrible idea, especially if someone can enumerate your users, or exploit potential application vulnerabilities, or if the permissions on a file is mis-set.
 
So, any web site owner in my server can access C:\ directory and can upload and download files? For a standart Windows user that I created, it may be "not unsecure", but for a hosting user it is extremely security problem for me and for all web server owners. I think there must be a feature to restrict web site user to access folders above root directory of web site(httpdocs or domain.com)
 
You must log in or register to reply here.

Similar threads

H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
558
Raul A.
R
weareimpulse
Question SFTP - stop access to folders/files above the main path root
Replies
2
Views
480
Kaspar
K
M
Resolved files in httpdocs not found, only plesk default page
Replies
3
Views
757
Raul A.
R
R
Issue Plesk\tmp Access is denied
Replies
1
Views
1K
Kaspar@Plesk
Kaspar@Plesk
K
Issue Cannot access vite config file
Replies
7
Views
4K
SDGPete
S
Back
Top