Security update for PLESK server configuration tool [Update]
Software vendor SWSoft has reported a hole in PLESK for Windows, its web-based configuration tool for Web servers and Web hosting. An SQL injection vulnerability allows the PLESK database to be manipulated. SWSoft have not provided any details, but according to reports a flaw in the auth.php3 file opens up the hole when PLESKSESSID cookies are analyzed.
Only Plesk versions 7.6.1, 8.1.0, 8.1.1 and 8.2.0 for Windows are affected. The vendor has released a revised version of the auth.php3 file, which users are advised to download and install in the directory %plsek_dir%\admin\auto_prepend.
Update
The Linux versions of PLESK Plesk 8.2.0, Plesk 8.0.0, Plesk 8.0.1 and Plesk 8.1.0 are also vulnerable. The software vendor has also provided an update for that operating system.
- [FIX] SQL Injection vulnerability, PLESK's patch
(mba)