Knowledge Base

CVE-2020-13166: myLittleAdmin vulnerability

 
httpsmicrosoftplesk for windowsserversql

Situation

Vulnerability CVE-2020-13166 was discovered in myLittleAdmin: https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/

Impact

If myLittleAdmin is installed, an unauthenticated remote attacker can run arbitrary code on behalf of IUSRPLESK_sqladmin.

Call to Action

Since the vulnerability was discovered in the latest myLittleAdmin version available (see http://mylittleadmin.com/en/history.aspx), consider applying one of the following workarounds:

To continue using MyLittleAdmin:

  1. Connect to the server via RDP

  2. Delete the following lines from %PLESK_DIR%MyLittleAdminweb.config:

    <machineKey
    validationKey="5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF"
    decryptionKey="DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4"
    validation="SHA1" />

Note: the warning message in Plesk GUI will stay as-is even when the code is removed. It can be safely ignored.

If myLittleAdmin is not used:

Remove myLittleAdmin from Plesk:

  1. Log in to Plesk
  2. Go to Tools & Settings > Updates > Add/Remove components and uncheck myLittleAdmin:
    sql.JPG
  3. Click Continue

As an alternative, to manage MS SQL databases it is recommended to use Microsoft SQL Management studio.

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

© 2025 WebPros International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of WebPros International GmbH.

Managed with love with Plesk WP Toolkit