• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

WARNING: PHP XML-RPC Vulnerability

J

jshanley

Guest
As seen on the PHP webpage - there is an exploitable security vulnerability in the XML-RPC module. Some people have reported attempts to exploit this vulnerability already.

This module is upgradeable by doing a:

pear upgrade XML_RPC

Plesk does not seem to ship with pear though (at least not on FreeBSD), so updating those systems will be a little more interesting.

Some software that uses XML-RPC, and may (or may not) be installed on your machines:

Wordpress, Postnuke, phpWiki, etc.

More info here and here .


Just giving a heads up. Hopefully SW-Soft will release a hotfox..

-J
 
only place on freebsd i found pear was in HORDE, i cant find a way to upgrade the RPC_XML though..
 
Fix

Victor K. @ sw-soft support was nice enough to mention that pearcmd.php can be used in place of the normal "pear" command.

Here is the way to fix your system, at least on FreeBSD. Note that Horde seems to use XML-RPC (at least it ships with it, so...)

1) edit /usr/local/psa/psa-horde/pear/pearcmd.php

change the line:

ini_set('include_path', '/home/jan/pear_root/share/pear');

to:

ini_set('include_path', '/usr/local/psa/psa-horde/pear');

2) Then do:

PHP: 
/usr/local/psa/apache/bin/php /usr/local/psa/psa-horde/pear/pearcmd.php upgrade XML_RPC
It will sit there for a few seconds, then update the module.

Just to be safe, I'd suggest restarting apache.

-J
 
Originally posted by Jllynch
Any one know the file locations for linux (Redhat)?
Click to expand...

On linux Plesk uses the system-provided PHP, so you should check your distro security updates.
 
But isn't the issue here updating the PSA version of PHP? The standard version of PHP can be simply updated with this command;

pear upgrade XML_RPC.
 
Originally posted by Jllynch
But isn't the issue here updating the PSA version of PHP? The standard version of PHP can be simply updated with this command;

pear upgrade XML_RPC.
Click to expand...

I dunno if PSA use pear and XML functions...
 
Originally posted by Jllynch
Any one know the file locations for linux (Redhat)?
Click to expand...
For RH, try:

/usr/share/pear/pearcmd.php
/usr/share/psa-horde/pear/pearcmd.php
 
Originally posted by EvolutionCrazy
I dunno if PSA use pear and XML functions...
Click to expand...

Well, Horde (webmail) on Plesk is released with XML-RPC included, so I would imagine that it uses it... I dont think the rest of Plesk uses it though, EXCEPT maybe for some of the packages in the Application Vault.
 
Originally posted by jshanley
Well, Horde (webmail) on Plesk is released with XML-RPC included, so I would imagine that it uses it... I dont think the rest of Plesk uses it though, EXCEPT maybe for some of the packages in the Application Vault.
Click to expand...

AFAIU, AppVault packages use system PHP, not the Plesk's one. IIRC, only phpMyAdmin and pgMyAdmin use PHP shipping with Plesk.
 
You must log in or register to reply here.

Similar threads

randypetersen
Question After upgrade PHP-FPM has high cpu usage.
Replies
6
Views
11K
Peter Debik
P
Automata
  • Poll
Input FEATURE REQUEST: Add SSH2 extension to PHP default extensions to improve security.
Replies
2
Views
3K
Automata
Automata
custer
Important Removing deadweight in Plesk Onyx 17.8
Replies
3
Views
8K
Laurence@
Laurence@
T
XML-RPC API & Examples
Replies
12
Views
7K
trialotto
T
L
Migrate to Plesk on AWS from Plesk, cPanel or DirectAdmin
Replies
0
Views
5K
Lukas Hertig
L
Back
Top