Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

twlc-adv-plesk211201.txt

🗓️ 26 Dec 2001 00:00:00Reported by twlcType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

Plesk vulnerability allows access to PHP files; upgrade to version 2.0 to mitigate risks.

Code
`twlc security divison  
(21/12/2001)  
  
plesk (psa) allows reading of .php files  
  
Found by:  
supergate  
./twlc  
  
Summary:  
Plesk is a server admnistrator used by LOTS of web hosting companies to make easy the menagement of the server. Its a really cool software!! i work with it. This bug allows you to read the source of the hosted .php files.   
  
Systems Affected:  
All the versions before 2.0 seems to be affected (2.0 should be safe except if you got UserDir directive enabled)  
  
Explanation:  
Its really simple... I'll explain it with an example:  
HOSTING_FOR_DUMMIES is running plesk, they host http://www.pleskrules.net that uses php, they run php nuke (note that this is just an example) so their configuration file with the database password is located in http://www.pleskrules.net/configure.php if we want to see the sources of this php (so the passwords) we only need to go there http://xxx.xxx.xxx.xxx/~pleskrules/configure.php where obviously 'xxx.xxx.xxx.xxx' stands for the ip of the domain pleskrules.net and '~pleskrules' is the username of the account of pleskrules.net (usually the name of the domain with ~ tilde before).  
  
Plesk staff:  
Has been contacted and in about an hour i had a reply. Really an ELEET bug support system!! The guy 'Anton' explained me that the problem has been fixed in 2.0 but it affects the previous versions. If you got it in 2.0 means that you have UserDir directive enabled! so thanks plesk ! eleet job. keep up the good work!!! plesk rules  
  
Patch:  
Upgrade to 2.0! (www.plesk.com) and if you are vulnerable with it turn off the userdir directive...  
To do this make sure that you have this following in the httpd.conf file:  
<IfModule mod_userdir.c>  
UserDir disabled  
</IfModule>  
  
Conclusions:  
This advisory has been released just to make safer the web hosting companies, (expecially the one who hosts our domain ehe) so DONT BE AN IDIOT (or a script kiddie) and DONT abuse of it. i again hope in human intelligence. peace people.  
  
News about twlc.net  
we are up again!!! THANKS UNIXRULES.NET FOR HOSTING LOVE <3 GUYS  
  
greets:  
all #twlc, #lt12, #./herb, #insight ;)  
and for the tests yaroze and the admin of unixrules.net (LOVE)  
and obviously Anton from plesk.com!  
  
Posted at:  
[email protected]  
[email protected]  
[email protected]  
http://www.packetstormsecurity.org  
http://www.twlc.net/  
http://www.twlc.net/article.php?sid=499  
  
Contacts (bugs, ideas, insults, cool girls... remember that trojans and flames are directed to /dev/null):  
  
[email protected]  
  
http://www.twlc.net  
  
bella;)  
  
eof `

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Dec 2001 00:00Current
7.4High risk
Vulners AI Score7.4
plesk vulnerabilityphp file accessupgrade to version 2.0server managementuserdir directive.
30