twlc security divison (21/12/2001) plesk (psa) allows reading of .php files Found by: supergate ./twlc Summary: Plesk is a server admnistrator used by LOTS of web hosting companies to make easy the menagement of the server. Its a really cool software!! i work with it. This bug allows you to read the source of the hosted .php files. Systems Affected: All the versions before 2.0 seems to be affected (2.0 should be safe except if you got UserDir directive enabled) Explanation: Its really simple... I'll explain it with an example: HOSTING_FOR_DUMMIES is running plesk, they host http://www.pleskrules.net that uses php, they run php nuke (note that this is just an example) so their configuration file with the database password is located in http://www.pleskrules.net/configure.php if we want to see the sources of this php (so the passwords) we only need to go there http://xxx.xxx.xxx.xxx/~pleskrules/configure.php where obviously 'xxx.xxx.xxx.xxx' stands for the ip of the domain pleskrules.net and '~pleskrules' is the username of the account of pleskrules.net (usually the name of the domain with ~ tilde before). Plesk staff: Has been contacted and in about an hour i had a reply. Really an ELEET bug support system!! The guy 'Anton' explained me that the problem has been fixed in 2.0 but it affects the previous versions. If you got it in 2.0 means that you have UserDir directive enabled! so thanks plesk ! eleet job. keep up the good work!!! plesk rules Patch: Upgrade to 2.0! (www.plesk.com) and if you are vulnerable with it turn off the userdir directive... To do this make sure that you have this following in the httpd.conf file: <IfModule mod_userdir.c> UserDir disabled </IfModule> Conclusions: This advisory has been released just to make safer the web hosting companies, (expecially the one who hosts our domain ehe) so DONT BE AN IDIOT (or a script kiddie) and DONT abuse of it. i again hope in human intelligence. peace people. News about twlc.net we are up again!!! THANKS UNIXRULES.NET FOR HOSTING LOVE <3 GUYS greets: all #twlc, #lt12, #./herb, #insight ;) and for the tests yaroze and the admin of unixrules.net (LOVE) and obviously Anton from plesk.com! Posted at: vuln-dev@securityfocus.com bugtraq@securityfocus.com bugreport@plesk.com http://www.twlc.net/ http://www.twlc.net/article.php?sid=499 Contacts (bugs, ideas, insults, cool girls... remember that trojans and flames are directed to /dev/null): supergate@twlc.net http://www.twlc.net bella;) eof
