Case 109049 Summary Arbitrary file overwrite in /scripts/synccpaddonswithsqlhost. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The synccpaddonswithsqlhost script performed unsafe file operations inside the home directories of unprivileged users while running with root’s permissions. By manipulating symbolic links within the .cpaddons sub-directory, a …
(Jun 10) A malicious source package could write files outside the unpack directory.
(May 1) A malicious source package could write files outside the unpack directory.
(Apr 28) A malicious source package could write files outside the unpack directory.
In the April 2014 survey we received responses from 958,919,789 sites — 39 million more than last month.
Microsoft made the largest gain this month, with nearly 31 million additional sites boosting its market share by 1.9 percentage points.
IIS is now used by a third of the world’s websites. Although this is not Microsoft’s largest ever […]
Compromised WordPress blogs were used to host nearly 12,000 phishing sites in February. This represents more than 7% of all phishing attacks blocked during that month, and 11% of the unique IP addresses that were involved in phishing. WordPress blogs were also responsible for distributing a significant amount of web-hosted malware — more than 8% of […]
(Feb 18) A directory traversal attack was reported against libtar, a C library for manipulating tar archives. The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files beyond the [More…]
(Sep 11) Rainer Koirikivi discovered a directory traversal vulnerability with ‘ssi’ template tags in python-django, a high-level Python web development framework. [More…]
The following disclosure covers the TSR-2013-008, the Targeted Security Release published on July 15th, 2013. Each vulnerability is assigned an internal case number which is reflected below. Information regarding the cPanel Security Level rankings can be found here: http://go.cpanel.net/securitylevels Case 71121 Summary The Squirrelmail Webmail session file contained plain text …
Important: cPanel Security Disclosure TSR-2013-0007 The following disclosure covers the Targeted Security Release 2013-06-26. Each vulnerability is assigned an internal case number which is reflected below. Information regarding the cPanel Security Level rankings can be found here:http://go.cpanel.net/securitylevels Case 71193 Summary Local cPanel users are able to take over ownership of …
The following bugs have been fixed:
[-] DrWeb mail handler runs two times on each message (108472).
[-] Upgrade php component breaks permissions on php sessions directory (91998).
The following bugs have been fixed:
[-] Subscriptions that included mail services were not properly removed from PPA.
[-] PPA removed the main license key when a license key for a service node was terminated by the Parallels licensing system.
[-] Administrators failed to add service nodes because PPA incorrectly selected an IP address for communications between the management node and service nodes.
[-] Administrators failed to back up customer accounts that had Windows-based hosting subscriptions.
[-] The ppa_mssql package was installed successfully, but the database server was not available for use.
[-] Administrators failed to correctly transfer subscriptions with web forwarding configurations from Plesk for Windows. They encountered the following errors in the console: “Error: Failed to work around IIS dedicated application pools problem. Exception: (‘Failed to %s IIS dedicated application pool, see debug log for more details’, ‘enable’)”
[-] Administrators could not transfer customer accounts from Plesk to PPA if the accounts were associated with a single e-mail address. The following error message was shown in the console: ” There are a number of accounts that are associated with the same e-mail. Change e-mails for the conflicting accounts.”
[-] Administrators failed to move subscription between nodes in case the subscription’s domain had the standard forwarding type. PPA raised an error like “Exception message: Command /usr/local/psa/bin/sw-engine-pleskrun with arguments …”.
[-] When transferring a domain alias with the switched off mail service to PPA, the PPA moving tools erroneously registered the alias on the SmarterMail service node.
[-] The PPA moving tools added the content of the default site template to all transferred subdomains. Thus, after the transfer, subdomain’s root directory contained not only its source content but the content of the PPA site template as well. This happened only when perfroming the transfer from Expand based on Plesk 8.
[-] The PPA moving tools failed to transfer subscriptions that belonged to resellers’ customers.
[-] In some cases, the www DNS records were not transferred to PPA from source Plesk Panel servers.
[-] The ppa-transfer tool failed to transfer subscriptions to PPA in case they were associated with the same system user. The tool raised an error like ” [ERROR] parallels.common.safe |copy-content| Failed to perform an action on subscription…”.
[-] The PPA moving tools failed to transfer domains to PPA in case that domains had IPv6 addresses only.
(Mar 15) Stefan Bühler discovered that the Debian specific configuration file for lighttpd webserver FastCGI PHP support used a fixed socket name in the world-writable /tmp directory. A symlink attack or a race condition could be exploited by a malicious user on the same machine to take over the PHP control [More…]
The following bugs have been fixed:
[-] Any installation of osTicket APS application is treated by Plesk as global helpdesk. (114056)
[-] (Windows only) Error “Component php5_4 isn’t supported” at subscription creating (131758)
[-] MySQL databases aren’t migrated from Plesk 9 and Plesk 10 if Plesk admin password containing ‘#’ symbol (120651)
[-] Upgrade php component breaks permissions on php sessions directory (91998)
If you are running an apache server password protecting directories is fairly simple. There are plenty of generators that will help you generate all of the code that you need to place into your .htaccess and .htpasswd files. This can […] ↓ Read the rest of this entry…
New version of Plesk Mirror Setup Tool 1.2 is uploaded to the article http://kb.parallels.com/113337
Synchronization of extensions/ directory for Linux versions of Plesk has been added.
The 11.0.9 MU#10 update is recommended for all Plesk users and includes general functionality fixes that improve the stability, compatibility, and security of your Plesk server.
Parallels strongly recommends to ensure optimal server reliability and security to keep your operating system up to date as well as Plesk software.
What’s Changed
The following new functionality has been added:
[+] MSSQL Server 2012 support has been added.
The following bugs have been fixed:
[-] Chained certificates bundles are be concatenated to the main certificate in nginx config (113865)
[-] PHP error_reporting per vhosts is not working due to wrongly set value (94669)
[-] Cannot change subdomain directory (112590)
[-] Impossible to add plan items provided by Google AdWords interagation module using API-RPC (115802)
[-] Link to documentation on admin’s password change screen leads to non-existing page in documentation (116440)
The following bugs have been fixed:
[-] Panel users failed to send e-mail through qmail if the IPv6 support was turned off on the Panel server and turned on on the receiving server. The mail log /usr/local/psa/var/log/maillog contained the error "System_resources_temporarily_unavailable".
[-] Panel always used the /tmp directory for storing backup temporary files during the backup download regardless of the DUMP_TMP_D value in /etc/psa/psa.conf. Panel users got the error "No space left on device" when downloading their backups if there was not enough space on the disk used by /tmp.
[-] Panel users saw wrongly encoded messages on the password retrieval page if the Panel language was set to Russian.
[-] Administarators were unable to simultaneously run multiple restoration processes of the same backup file using the pleskrestore utility.
The following bugs have been fixed:
[-] Password strength policy does not work for the admin on the initial setup page (112284)
[-] Migrating of single subscription from Plesk 10/11 to Plesk 11 end with error “Line 48 error: Element ‘template-item’: This element is not expected”.
[-] (Linux only) Mailbox can’t be created on Ubuntu 10.04 (112282)
[-] (Linux only) Reseller’s plans are not migrating to Plesk 11
[-] (Linux only) Web server switching from apache to apache with SNI fails because of wrong apr-devel package
[-] (Linux only) Error “Error: unable to open ‘/etc/httpd/conf/includes/errordocument.conf’: No such file or directory” messages appears after migration from cPanel
[-] (Linux only) Error “Error occurred during /bin/mkdir command.” messages appears at migration of protected directories from Plesk 9.5.4
[-] (Linux only) Maillists are not migrating from cPanel
[-] (Linux only) Anonymous FTP accounts are not migrating from cPanel
[-] (Linux only) Autoinstaller doesn’t treat repositories “cloudlinux-base”, “cloudlinux-updates”, “cloudlinux-x86_64-*”, cloudlinux-i386-*” as third-party repositories on CloudLinux and doesn’t warn user about absence of “base” and “updates” repositories if “cloudlinux-x86_64-*”, cloudlinux-i386-*” repositories are defined.
The following bugs have been fixed:
[-] Password strength policy does not work for the admin on the initial setup page (112284)
[-] Migrating of single subscription from Plesk 10/11 to Plesk 11 end with error “Line 48 error: Element ‘template-item’: This element is not expected”.
[-] (Linux only) Mailbox can’t be created on Ubuntu 10.04 (112282)
[-] (Linux only) Reseller’s plans are not migrating to Plesk 11
[-] (Linux only) Web server switching from apache to apache with SNI fails because of wrong apr-devel package
[-] (Linux only) Error “Error: unable to open ‘/etc/httpd/conf/includes/errordocument.conf’: No such file or directory” messages appears after migration from cPanel
[-] (Linux only) Error “Error occurred during /bin/mkdir command.” messages appears at migration of protected directories from Plesk 9.5.4
[-] (Linux only) Maillists are not migrating from cPanel
[-] (Linux only) Anonymous FTP accounts are not migrating from cPanel
[-] (Linux only) Autoinstaller doesn’t treat repositories “cloudlinux-base”, “cloudlinux-updates”, “cloudlinux-x86_64-*”, cloudlinux-i386-*” as third-party repositories on CloudLinux and doesn’t warn user about absence of “base” and “updates” repositories if “cloudlinux-x86_64-*”, cloudlinux-i386-*” repositories are defined.
The information in this post is about a project in motion. The final delivery may differ from what is discussed here, especially as we consider the feedback you have. Our last article discussed changing from compile-on-demand to delivery of pre-compiled…
The following functionality has been added:
[+] Now there is able to exclude execution of statistics.exe from Daily Maintenance script if add registry key daily_script_statistics_disabled (REG_SZ) = true in HKLMSOFTWAREPLESKPSA ConfigConfig
The following bugs have been fixed:
[-] Forwarding does not work in Plesk installed on Windows 2008 on Parallels Virtuozzo Container
[-] Huge backup file is not transferred to the FTP repository because of timeout after 10 minutes
[-] Checkbox “Suspend domain until backup task is completed” is switched on by default on Backup Scheduling page
[-] DUMP_D is not treated as system directory by Plesk
[-] FTPmng.exe reconfigures all domains when unsuspending a single one
[-] There is unable to change hosting settings of any domain if backup task in progress, because websrvmng exclusively locks all ‘read’ commands
[-] File Manager: batch File Copy only copies the first selected directory
We hasten to inform you that Plesk Service has recently updated Plesk Mirror Setup Tool that allows Providers to manage Plesk 11 Preview in Test mode.
1. Please take into account Plesk 11 Preview is available on autoinstall-ctp.plesk.com:
rsync://autoinstall-ctp.plesk.com/PP11_unix_preview
rsync://autoinstall-ctp.plesk.com/PP11_win_preview
Plesk 11 RTM / GA will be available on autoinstall.plesk.com.
2. Please make sure you follow the steps described in section “Use Case 5 – Creating a mirror for testing new product versions” of the http://kb.parallels.com/113337.
3. Please pay attention you should
– flush Plesk 11 Preview into the different directory from your production mirror,
– use option “–src-host” to specify what repository you manage by the tool,
– use options “–source” and “–skip-branch-filter” with Autoinstaller to access to the certain repository.
Installation and Upgrade Guide: Parallels Installer and Panel Version Quality Tags
http://download1.parallels.com/Plesk/PP10/10.4/Doc/en-US/online/plesk-installation-upgrade-guide/index.htm?fileName=65779.htm
The following bug has been fixed:
[-] Security fix of directory traversal vulnerability in Horde Framework
Following bugs have been fixed:
– PHP module disabled after installation vps-optimized template to VPS
– Renaming of FTP user changes location of cgi-bin directory in domain’s config of HTTP server
– Wrong parsing of IMAP folders with spaces in their names during daily maintenance script execution
– ServerAlias directive disappears from domain’s HTTP server config after virtual host re-configuration
– Applications which that cannot be installed in Plesk hides from reseller’s service plans
– The vhost.conf files are not being backed up/restored using the pleskbackup and pleskrestore utilities
– psa-pc-remote crashed with segfault under highload
– /usr/local/psa/admin/sbin/statistics generates SQL error
– Subdomains can’t be restored because of domains limit in license
[-] (Linux) Unable to delete domain without DNS zone recorded in Plesk Panel database
[-] Virtual host directory is not getting removed during hosting type switch onto Standard Forwarding
[-] (Windows only) The backup of ASP controller database, AtMail and Horde webmail applications is not created during Plesk panel upgrade
[-] (Linux) Unable to delete domain without DNS zone recorded in Plesk Panel database
[-] Virtual host directory is not getting removed during hosting type switch onto Standard Forwarding
[-] (Windows only) The backup of ASP controller database, AtMail and Horde webmail applications is not created during Plesk panel upgrade
Parallels Plesk Panel 9.5 is now available for downloads on Parallels PartnerNet.
http://www.parallels.com/partnernet/rtmdownloads/panel/
http://www.parallels.com/products/plesk95/
Changelog
1. [+] PCI Compliance: Parallels Plesk Panel can be made compliant with the Payment Card Industry Data Security Standard. This can be achieved by running a special PCI compliance resolver utility and additional tuning of system components, as described in the document Achieving PCI Compliance for Servers Managed by Parallels Plesk Panel 9.5. The document is available at http://www.parallels.com/products/plesk/docs/parallels-plesk-panel-9.5-pci-compliance/index.htm.
2. [+] Compatibility with Microsoft Internet Explorer 8: Parallels Plesk Panel is now compatible with Microsoft Internet Explorer 8.
3. [+] CloudLinux support: Parallels Plesk Panel can now work under CloudLinux operating system.
4. [+] Google Services for Websites support (beta): Parallels Plesk Panel 9.5 can now be easily integrated with Google Services for Websites. To learn more, refer to Parallels Plesk Panel 9.5 Administrator’s Guide at http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.5-administrators-guide/64635.htm.
5. [+] More virtualization solutions supported: Parallels Plesk Panel 9.5 can operate in virtual environments created by the following virtualization solutions: Parallels Virtuozzo Containers, Microsoft Hyper-V, Xen, and VMWare. There are special licensing options for Parallels Panel software operating inside virtual environments. For more information about licensing options, contact your vendor or call Parallels sales team. The phone numbers are listed at http://www.parallels.com/contact/.
6. [+] Upgraded components: phpMyAdmin to the version 2.9.11, and Horde Application Framework to the version 3.3.6.
7. [-] SpamAssassin spam filter incorrectly classified most of the messages delivered in the year 2010 as spam – issue resolved.
8. [-] Horde webmail did not open properly in Internet Explorer 8 – issue resolved.
9. [-] Cross-site scripting vulnerability was eliminated.
10. [-] A number of security issues were identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it – these issues were resolved.
11. [-] Migration failed if the /tmp file system was full – issue resolved. Now you can specify any other location for the temporary directory.
Linux/Unix-specific
12. [-] Migration of websites from Plesk Control Panel 7.5.4 to Parallels Plesk Panel 9.2.1 failed if the SpamAssassin spam filter was configured to remove spam e-mail – issue resolved.
13. [-] ProFTPD 1.3.1 was prone to a security vulnerability that allowed attackers to perform cross-site request forgery types of attacks – to resolve this issue, ProFTPD was upgraded to the version 1.3.2e.
14. [-] If temporary directory on the server was full, FTP network error occurred on attempt to move a file from an FTP storage to the server repository – issue resolved.
15. [-] If, in Parallels Plesk Panel, there is a domain with the same name as server’s hostname, then a message sent to postmaster@$HOSTNAME is bounced back – issue resolved.
16. [-] During upgrade, the default client and domain template values were reset – issue resolved.
17. [-] Plesk 8.x key was not updated automatically to 9.x during product upgrade – issue resolved.
18. [-] After upgrade, var/qmail/control/me file contained only the hostname – issue resolved.
19. [-] Scheduled security scanning by Watchdog (System Monitoring) Module could not start – issue resolved.
20. [-] Postfix mail server occasionally failed to deliver some e-mail messages with the “Unprocessed command” errors – issue resolved.
21. [-] After upgrading Parallels Plesk Panel from versions 8.x to 9.x, scheduled backups could stop working – issue resolved.
22. [-] Web statistics were not calculated properly when the piped logs feature was switched on – issue resolved.
23. [-] The Watchdog (System Monitoring) Module showed security warnings (false positives) due to incorrect default configuration – issue resolved.
24. [+] Upgraded components: IceWarp (Merak) Mail Server to the version 10, Bind DNS server to the version 9.4.3-P4, PHP to the version 5.2.13
25. [+] It is now possible to specify an arbitrary temporary folder as a command-line parameter of the backup tool.
26. [*] Operation of Plesksrv.exe component was stabilized.
27. [-] Standard Parallels Plesk Panel configuration allowed to view extra information (read webmail folder) – issue resolved.
28. [-] If temporary directory on the server was full, FTP network error occurred on attempt to move a file from an FTP storage to the server repository – issue resolved.
29. [-] Parallels Plesk Panel hanged on attempt to remove domains with several mailboxes – issue resolved.
30. [-] Parallels Plesk Panel failed to install the DotNetNuke application on websites – issue resolved.
60 queries. 8.75 mb Memory usage. 0.595 seconds.