Plesk

Vulnerability PFSI-62465 in Plesk

  • Dmitry Bystrov

    • Situation

    A critical vulnerability (with the internal ID PFSI-62465) was identified and fixed in Plesk a long time ago. Complete information about exploiting this vulnerability are going to be disclosed publicly.

    Vulnerable Plesk versions: from 17.0 to 18.0.31. These are unsupported versions in Plesk, for which hotfixes are no longer released.

    Impact

    All supported versions of Plesk are immune. If you use one of them, there is no any impact for you.

    Otherwise, in case your Plesk instance is vulnerable (you are running Plesk 17.0 to 18.0.31), a malicious subscription owner (customer or additional user) can fully compromise the server if an admin visits a certain page in Plesk related to the malicious subscription.

    Call to action

    Keep your Plesk instances up-to-date.

    Warning: Please do not apply patch if you are not running the latest Plesk Onyx microupdates (Version 17.0.17 Update #86, Version 17.5.3 Update #98, Version 17.8.11 Update #95) - such situation may occur on OSes that have reached their EOL (e.g. Ubuntu 14.04, Debian 8, CentOS 6) before microupdates were applied.

    If, for some reason, you absolutely must use any of the unsupported Plesk versions listed below, patch vulnerable servers manually. Please follow the instructions below for the corresponding patches:

    Plesk for Linux

    1. Connect to the server via SSH.

    2. Determine Plesk version.

    3. Download the archive for corresponding version:

      3.1. Copy the link that contains your Plesk version from the list below:

      3.2 Download the archive using wget <copied link> command, e.g. for Plesk 18.0.31:

      # wget https://plesk.zendesk.com/hc/article_attachments/7226932682514/plesk-18.0.31.zip

      3.3 Unzip the downloaded file using unzip <link text> command with link text taken from 3.1, e.g. for Plesk 18.0.31:

      # unzip plesk-18.0.31.zip

    4. Back up the file:

      # cp /usr/local/psa/admin/plib/Smb/View/Web/SiteRenderer.php /usr/local/psa/admin/plib/Smb/View/Web/SiteRenderer.php.bk

    5. Substitute the file with the downloaded one:

      # mv SiteRenderer.php /usr/local/psa/admin/plib/Smb/View/Web/SiteRenderer.php

    Plesk for Windows

    1. Connect to the server via RDP.

    2. Determine Plesk version.

    3. Download the archive for corresponding version using links below and unzip it:

    4. Back up the %plesk_dir%adminplibSmbViewWebSiteRenderer.php file.

    5. Substitute the %plesk_dir%adminplibSmbViewWebSiteRenderer.php file with the one from the downloaded archive.

    Tweet
    Share
    Share
    Email
    0 Shares
    Exit mobile version