Full Disclosure mailing list archives
PLESK hosting mass deface
From: "Richard Storm" <storm.richard () gmail com>
Date: Mon, 17 Sep 2007 18:53:48 +0300
PLESK (http://www.swsoft.com/) developers doesn't care about security in PLESK. The only countermeasure against one client hacking other is php safe_mode and open_base_dir, not even talking about perl and cgi... Suggestions for plesk owners: *) DO NOT give your clients permission to manage: "Domain creation", "Physical hosting management", "PHP safe mode management", "Management of shell access to server Client can allow access to any type of shell" *) Create domains manualy for them instead, allowing only PHP support with (PHP 'safe_mode' on ). DO NOT ever checkout "PHP 'safe_mode' on". When your user will whine that GalleryX isn't working because of that, tell them to go find another hosting. *) Add this to your php.ini and tell users to read plesk-stat/logs/error_log and hack their code if something breaks disable_functions = exec,passthru,system,shell_exec,leak,chroot,error_log,set_file_buffer,link,popen,openlog, syslog,pfsockopen,extension_loaded,dl,ini_get_all,ini_get,get_defined_functions,get_extension_funcs, getrusage,phpinfo,php_uname,php_logo_guid,zend_logo_guid,zend_version, posix_kill,posix_getpwnam,posix_getpwuid,posix_getrlimit,session_save_path *) DO NOT allow any another service, for example perl, than it is game over for your security, since attacker can upload perl shell to read scripts from other vhosts and compile local root exploit for your unpatched linux kernel. If you fail at even one of these points, than your clients get defaced and your linux box rooted. Sorry, but it seems that PLESK (swsoft) are not going to help you implementing suexec+chroot. And yes, there are no updates for PHP-5.2.4 jet. Yeah, thats what you get about the money, be aware! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PLESK hosting mass deface Richard Storm (Sep 17)