critical security plesk issue

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
nobody
Forum Regular
Forum Regular
Posts: 349
Joined: Sun Mar 29, 2009 6:52 pm

critical security plesk issue

Unread post by nobody »

Guys take a look at this. I just saw it and pushed right away an update to plesk 10.4.4. I hope I don't have problems with the update. It affects all plesk editions except 10.4.4 according to parallels. The best part is that there is no hotfix for plesk 10.3.1 !

http://kb.parallels.com/en/113321
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego
nobody
Forum Regular
Forum Regular
Posts: 349
Joined: Sun Mar 29, 2009 6:52 pm

Re: critical security plesk issue

Unread post by nobody »

Scott and Mike,

Havent you found a any way to filter again using modsecurity plesk panel ?

I miss those times when I could sleep slightly better at night... !
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: critical security plesk issue

Unread post by BruceLee »

it's covered by ASL 3.0.20.
Please see post https://atomicorp.com/forums/viewtopic.php?f=8&t=5773
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: critical security plesk issue

Unread post by scott »

Yup! This framework will let us add the WAF to any web based service... and maybe ftp but I didnt spend a lot of time on that.
Blake@Parallels
Verified Vendor
Verified Vendor
Posts: 3
Joined: Mon Mar 05, 2012 8:36 pm
Location: Seattle, WA

Re: critical security plesk issue

Unread post by Blake@Parallels »

nobody wrote:Guys take a look at this. I just saw it and pushed right away an update to plesk 10.4.4. I hope I don't have problems with the update. It affects all plesk editions except 10.4.4 according to parallels. The best part is that there is no hotfix for plesk 10.3.1 !

http://kb.parallels.com/en/113321
Note, this was address for 10.3.1 in MicroUpdate #5 in September 2011 (updates were also issued at that time for 9.5 and 8.6). Further, no base version (e.g. without MU's applied) were vulnerable after 10.4.0 in November 2011.
nobody
Forum Regular
Forum Regular
Posts: 349
Joined: Sun Mar 29, 2009 6:52 pm

Re: critical security plesk issue

Unread post by nobody »

scott wrote:Yup! This framework will let us add the WAF to any web based service... and maybe ftp but I didnt spend a lot of time on that.
Damn. How did I miss on that ? Fine job once again !
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: critical security plesk issue

Unread post by faris »

For the avoidance of doubt, I assume this is the same issue with Agent that we've discussed http://www.atomicorp.com/forum/viewtopi ... =13&t=5731 or is it something different?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: critical security plesk issue

Unread post by faris »

Incidentally, there does appear to be a new MU for Plesk 8.6. MU11. Nothing to do with Agent. Looks related to Webmail to me.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Blake@Parallels
Verified Vendor
Verified Vendor
Posts: 3
Joined: Mon Mar 05, 2012 8:36 pm
Location: Seattle, WA

Re: critical security plesk issue

Unread post by Blake@Parallels »

faris wrote:For the avoidance of doubt, I assume this is the same issue with Agent that we've discussed http://www.atomicorp.com/forum/viewtopi ... =13&t=5731 or is it something different?
Same issue.
Blake@Parallels
Verified Vendor
Verified Vendor
Posts: 3
Joined: Mon Mar 05, 2012 8:36 pm
Location: Seattle, WA

Re: critical security plesk issue

Unread post by Blake@Parallels »

faris wrote:Incidentally, there does appear to be a new MU for Plesk 8.6. MU11. Nothing to do with Agent. Looks related to Webmail to me.
For 8.6, this issue was resolved via MU#2 - released in September 2011.
nobody
Forum Regular
Forum Regular
Posts: 349
Joined: Sun Mar 29, 2009 6:52 pm

Re: critical security plesk issue

Unread post by nobody »

Guys Plesk 10.4.4 works like a charm up till now. Which is a pleasant surprise. Never happened before :P

Blake when will they fix the issue in which you can move customers between ressellers ? This was a major stepback from version 9 to version 10 ...
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: critical security plesk issue

Unread post by faris »

Blake@Parallels wrote:
faris wrote:Incidentally, there does appear to be a new MU for Plesk 8.6. MU11. Nothing to do with Agent. Looks related to Webmail to me.
For 8.6, this issue was resolved via MU#2 - released in September 2011.
Thank you for update.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
moondog604
Forum User
Forum User
Posts: 7
Joined: Wed Feb 03, 2010 8:14 pm
Location: Surrey, BC

Re: critical security plesk issue

Unread post by moondog604 »

My 8.6 is patched. I'm Mr Linux/Plesk Newb Question Man today.

1. I also running a 9.3, so I guess I have to update to 9.5.4?

2. In theory should I have any problems upgrading if I updated the PHP to 5.2 using the AtomicCorp repo?

3. Is it safer to install the updates one at a time or can I jump straight to 9.5.4?

Thanks in adavance!
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: critical security plesk issue

Unread post by BruceLee »

1. I would upgrade
2. You never know, each installation/servermight have different settings. Take care of a godd and complete backup
3. I stick with updating plesk over yum. Than i run the autoinstaller to install MU's. If I would go (which I don't do) and do it via webinterface of Plesk I would update one-by-one.
But thats just my opinion.
nobody
Forum Regular
Forum Regular
Posts: 349
Joined: Sun Mar 29, 2009 6:52 pm

Re: critical security plesk issue

Unread post by nobody »

Guys. Its the first time that I see great improvement in Plesk after 3 years. Plesk 10.4.4 seems to actually function ! I still seek to find what it has broken, thats good ! :P
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego
Post Reply