store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Tue Sep 30, 2014 1:50 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: Admin password vulnerability in Plesk 10.0.1
Unread postPosted: Thu Dec 09, 2010 3:20 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
Parallels wrote:
Parallels has issued a security hotfix to Parallels Plesk Panel 10.0.1 through the Micro-Updates system. It is referenced as MU#2 - Plesk admin password changing. The Micro-Update delivers bug fix for a vulnerability that could allow authorized Plesk users to change Plesk 'admin' password and then compromise Control Panel.

For instructions on implementing Micro-updates, please refer to: http://kb.parallels.com/en/9294 - Using Micro-Updates in Parallels Plesk Panel 9.x, 10.x and Parallels Small Business Panel. For instructions on upgrading from the panel, please refer to the Administrator Manual at: http://download1.parallels.com/Plesk/PP ... =59215.htm

This notification is made pursuant to our development policy of notifying users when critical security issues arise and making fixes available as soon as possible. Please ensure that this patch has already been applied as soon as possible.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: Admin password vulnerability in Plesk 10.0.1
Unread postPosted: Thu Dec 09, 2010 8:25 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Mar 29, 2009 6:52 pm
Posts: 350
It is the 10th of December Year 2010.
And plesk after 9 years still comes up with "remote holes" for admin ...
Thank god I didn't install version 10 ...

_________________
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego


Top
 Profile  
 
 Post subject: Re: Admin password vulnerability in Plesk 10.0.1
Unread postPosted: Thu Dec 09, 2010 10:53 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7911
Location: earth
Well It was the 6th major re-write of the whole admin system. :P


Top
 Profile  
 
 Post subject: Re: Admin password vulnerability in Plesk 10.0.1
Unread postPosted: Fri Dec 10, 2010 8:24 am 
Offline
Forum Regular
Forum Regular

Joined: Sun Mar 29, 2009 6:52 pm
Posts: 350
scott wrote:
Well It was the 6th major re-write of the whole admin system. :P


Yes. But Plesk is a paid Control Panel not an open source. So everyone would expect at least that they take care of the security of the cp and especially the administrator account. They even keep the admin password in a file inside the server on .psa.shadow. Such things need fixing in my opinion ...

_________________
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego


Top
 Profile  
 
 Post subject: Re: Admin password vulnerability in Plesk 10.0.1
Unread postPosted: Fri Dec 10, 2010 8:49 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7911
Location: earth
Trying making that argument with microsoft!


Top
 Profile  
 
 Post subject: Re: Admin password vulnerability in Plesk 10.0.1
Unread postPosted: Fri Dec 10, 2010 8:56 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
nobody wrote:
Yes. But Plesk is a paid Control Panel not an open source. So everyone would expect at least that they take care of the security of the cp and especially the administrator account.


You expect paid software to be secure, as opposed to open source? My experience is quite the opposite...

Quote:
They even keep the admin password in a file inside the server on .psa.shadow. Such things need fixing in my opinion ...


It's a file that can only be read by psaadm (and root of course). (I actually like that Plesk does this, because it makes it easy to write generic scripts that can access MySQL to automate some things.)

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: Admin password vulnerability in Plesk 10.0.1
Unread postPosted: Fri Dec 10, 2010 10:05 am 
Offline
Forum Regular
Forum Regular

Joined: Sun Mar 29, 2009 6:52 pm
Posts: 350
Scott :
Yes. Microsoft in terms of security is some lightyears ago. And thus it has paied its price. The web is full of Linux - Unix servers which are opensource and free and where microsoft is used everyone uses software and hardware firewalls instead of asa. To protect as possible the windows servers behind.

Breun :

Yes I agree. I didn't mean that OpenSource aint secure. I just said that when you pay for software you don't tollerate a remote hole bug that you would tolerate in free software maybe. Thats what I meant ...

_________________
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego


Top
 Profile  
 
 Post subject: Re: Admin password vulnerability in Plesk 10.0.1
Unread postPosted: Fri Dec 10, 2010 2:01 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
nobody wrote:
Yes I agree. I didn't mean that OpenSource aint secure. I just said that when you pay for software you don't tollerate a remote hole bug that you would tolerate in free software maybe. Thats what I meant ...


I don't tolerate any remote holes. But yeah, at least open source gives anyone the opportunity to look into it and fix it.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: Admin password vulnerability in Plesk 10.0.1
Unread postPosted: Fri Dec 10, 2010 4:19 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7911
Location: earth
Sadly with the internal change to lighttpd we can't stick mod_security into the plesk daemon any more.


Top
 Profile  
 
 Post subject: Re: Admin password vulnerability in Plesk 10.0.1
Unread postPosted: Fri Dec 10, 2010 4:57 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Mar 29, 2009 6:52 pm
Posts: 350
scott wrote:
Sadly with the internal change to lighttpd we can't stick mod_security into the plesk daemon any more.


At least since we will be forced to run lighthttpd we can install the mod proxy and use lighthttpd for sending the photos to users which is very very faster than apache and improves a lot the speed and load on a server as I've read.

What do you think ?

_________________
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego


Top
 Profile  
 
 Post subject: Re: Admin password vulnerability in Plesk 10.0.1
Unread postPosted: Fri Dec 10, 2010 5:31 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7911
Location: earth
You dont want to use the plesk daemon for that :P


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group