Page 1 of 1

Recent Plesk Vulnerability

Posted: Fri Feb 10, 2012 7:35 am
by laughingbuddha
Hi all,

I recieved an email from Parallels about a Plesk SQL injection vulnerability.

It talks about running a micro update, but are these updates save to run, especially when I use ASL on my box and Plesk was installed via the ART yum channel.

Thanks

Re: Recent Plesk Vulnerability

Posted: Fri Feb 10, 2012 9:04 am
by faris
normally safe to run. been ok for me in past. dragged myself in to work from sick bed to do it. you will hear the screaming if it goes wrong.

Re: Recent Plesk Vulnerability

Posted: Fri Feb 10, 2012 9:37 am
by faris
seems ok so far. Bloody useless in plesk 8.6 though. No indication of which microupdates are installed or not.

Best of all, it says my installed version November 2011 - new version available, April 2011. Kind of lame.

Re: Recent Plesk Vulnerability

Posted: Fri Feb 10, 2012 2:11 pm
by mikeshinn
We'll be adding in a proxy option into 3.0.20 or 21 to help with these things in the future (Plesk uses lighthttp which also does not have any WAF module). You will be able to put ASL in front of plesk (and anything else for that matter) and proxy everything thru it. So even if plesk, or anything else, has a vulnerability in it we will stop it.

Re: Recent Plesk Vulnerability

Posted: Fri Feb 10, 2012 6:21 pm
by laughingbuddha
Just got in from the radio show. Great idea mike.

Thanks guys, I'll run the update now.