• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

test.php.jpg should not execute PHP but does!

G

grumpydev

New Pleskian
Can someone please explain to me WHY this would execute on a PLESK configured domain?! This seems like a massive security issue.
 
if you have not customize domain's virtual hosting templates, you can perform following workaround:

mkdir -p /usr/local/psa/admin/conf/templates/custom/service

cp /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/

than create files with following content:

cat /usr/local/psa/admin/conf/templates/custom/service/php.php
<IfModule <?php echo $VAR->server->webserver->apache->php4ModuleName ?>>
<Files ~ (\.php$)>
<?php
if ($OPT['enabled']) {
echo "php_admin_flag engine on\n";

if (isset($OPT['settings'])) {
echo $OPT['settings'];
}

} else {
echo "php_admin_flag engine off\n";
}
?>
</Files>
</IfModule>

<IfModule mod_php5.c>
<Files ~ (\.php$)>
<?php
if (array_key_exists('enabled', $OPT) && $OPT['enabled']) {
echo "php_admin_flag engine on\n";

if (isset($OPT['settings'])) {
echo $OPT['settings'];
}

} else {
echo "php_admin_flag engine off\n";
}
?>
</Files>
</IfModule>

cat /usr/local/psa/admin/conf/templates/custom/service/php_over_cgi.php
<Files ~ (\.php$)>
SetHandler None
AddHandler php-script .php
Options +ExecCGI
allow from all
</Files>

cat /usr/local/psa/admin/conf/templates/custom/service/php_over_fastcgi.php
<IfModule mod_fcgid.c>
<Files ~ (\.php$)>
SetHandler fcgid-script
FCGIWrapper <?php echo $VAR->server->webserver->apache->phpCgiBin ?> .php
Options +ExecCGI
allow from all
</Files>
</IfModule>
 
Anyway if you allow in your web application upload of files you have to check mime-type of uploading files and disable execution for special folders like /image for example.
 
Thanks for the quick response to this. Do these changes take effect immediately after a restart? How do I make sure these changes get applied?

Thanks again!
 
After creating files you have to update domain's hosting configuration, for example change PHP handler or switch on/off Perl support and save changes.
 
OlegN said:
Anyway if you allow in your web application upload of files you have to check mime-type of uploading files and disable execution for special folders like /image for example.
Click to expand...

I strongly agree with this statement. Unfortunately, we do not perform code reviews of all sites that are hosted by us, thus having this functionality by default seems really scary.

Thanks again!
 
You must log in or register to reply here.

Similar threads

S
Resolved How can I remove extensions from putty during the Plesk installation?
Replies
18
Views
2K
Shorty
S
M
Question Help with managing multiple websites in Plesk along with DNS management
Replies
0
Views
864
MimiWeb
M
@
Issue Temporary Domain .plesk.page Not accessible
Replies
1
Views
470
Martin Dias
Martin Dias
sweetp
Question SSL renewed/created hook?
Replies
2
Views
419
sweetp
sweetp
S
Issue Can no longer execute php handler
Replies
1
Views
614
stefanb
S
Back
Top