Plesk 11.x / Linux :: SSL Server Allows Anonymous Authentication Vulnerability
Jun 27, 2013
I am using plesk 11.0.9 and I want disable ssl anonymous authentication. A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm.
We have Plesk Panel 11.5 in Virtuozzo containers (Centos 6 x86_64) and we often provide to our customers the ssh access with chroot - /usr/local/ psa/ bin/chrootsh.All we know about Shellshock Vulnerability and we already installed all fixes to bash, but chrootsh-version is still vulnerable.Here are the results of BashCheck from [URL] ..... under chrooted user:
Vulnerable to CVE-2014-6271 (original shellshock) Vulnerable to CVE-2014-7169 (taviso bug) bashcheck: line 15: 19226 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer.Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug).Do you plan to release updates for chrootsh?
each time i migrate a Domain from a plesk 9.5.5 Windows Hosting Server towards the new plesk 11.5 Server the customers iusr Password does not match the Systems iusr Password.so after each Migration the Website is requesting a username and Password.
1. how to solve that for the whole Installation?
2. at plesk 7.5 and later there was a Workaround which is not anymore supported: websrvmng.exe –update-anon-password –domain-name=yourdomain.com
I trying to create authentication Key in SSH with plesk 11.5.30 CentOS Linux box...I followed the following KB article to create authentication key. URL...The authentication key not working.
Lately I've been spending a lot of time grok'ing the Postfix logfile (i.e., /usr/local/psa/var/log/maillog) and I've been noticing a lot of authentication failures (and even one successful break-in).
Most entries are just a simple pair of log entries that includes the source IP address and then the details of the mailbox name, like this one:
Code: Aug 12 08:08:18 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure Aug 12 08:08:20 www plesk_saslauthd[4434]: failed mail authenticatication attempt for user 'media@example.com' (password len=6)
[Code]....
How are these entries generated? i.e., Why mailbox name given right away some times (like the first example) while - other times - the account name isn't displayed for several seconds - almost ninety seconds in the second example?
I have a brandnew server with CENTOS 6.5 Final with Plesk 12.
For some reason unknown i'm not able to configure Postfix as smtp server and accept plain text autentication. It only accept TLS autentication both on port 25 or 587. If i install Qmail everything works without any problem.
I have a VPS with plesk 12 I created an email account with one of my domains and when I try to send emails from this account through webmal of roundcube, I get the following error.: An error has occurred! SMTP Error (250): Authentication failed.
I have a new Plesk 11.0.9. #34 server with Centos 6.3 64bit.
I made a few changes in order to be PCI Compliant.
I created a domain and try to send email with no luck.
----------Maillog------------ Jan 24 16:01:28 server7 pop3d-ssl: Connection, ip=[::ffff:X.X.X.X] Jan 24 16:01:34 server7 pop3d-ssl: IMAP connect from @ [::ffff:X.X.X.X]ERR: LOGIN FAILED, ip=[::ffff:X.X.X.X] Jan 24 16:01:34 server7 pop3d-ssl: Unexpected SSL connection shutdown. Jan 24 16:01:48 server7 pop3d-ssl: Connection, ip=[::ffff:X.X.X.X]
[Code] ....
As you can see from the logs, the pop/imap connection is successful. I login to webmail with the username/password successfully. I can't send from Outlook/thunderbird etc.
Tried to rebuild emails with /usr/local/psa/admin/sbin/mchk --with-spam but no luck.
I initially had trouble where everytime i tried to load webmail.domain.tld i would have a DNS error, I've resolved this by correcting the DNS settings on my domain and now i can login to the webmail and recieve emails. Now, whether i use Horde or Roundcube i get this authentication error for my SMTP. I'm very new to this stuff and i'm not sure where my log files are or what the issue could be or even how to fix it.
I'm currently experiencing a lot of problems, using Horde. Users are not able to log-in due to this error:
Code:
2014-10-09T10:00:54+02:00 EMERG: HORDE Uncaught exception 'Horde_Exception_PushApp' with message 'User xxx@yyy.tld is not authorized for Horde.' in /usr/share/psa-pear/pear/php/Horde/Registry.php:1555 Stack trace: #0 /usr/share/psa-pear/pear/php/Horde/Registry.php(1198): Horde_Registry->pushApp('horde', Array)
[Code] .....
I've already tried re-installing Horde, but without success.
There's an article in your KB, but `/var/lib/php/session` does not exist and `/var/lib/php5/sessions` has the required perms.
I've also tried to set session.save_path to `/var/lib/php5/sessions` in `/etc/psa-webmail/horde/horde/php.ini` and after a restart, sessions are written into that directory. But the problem still exists.
Code: _b|i:1412842564;_r|i:1412864164;horde|a:25:{s:11:"auth/authId";s:13:" xxx@yyy.tld";s:12:"auth/browser";s:110:" Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36";s:16:"auth/credentials";s:4:" imp";s:15:"auth/remoteAddr";s:15:" my.ip.addr.ess";s:11:"auth/userId";s:13:"
Two days ago we have upgrade a Plesk Panel 11.5 to 12.0.18. It have been working properly until today. Lots of mailboxes doesn't work with the error
Jun 24 13:30:12 hosting2 plesk_saslauthd[19704]: No such user 'mailbox@domain.tld' in mail authorization database Jun 24 13:30:12 hosting2 plesk_saslauthd[19704]: failed mail authenticatication attempt for user 'mailbox@domain.tld' (password len=10)
The /usr/local/psa/admin/bin/mail_auth_view show only a few mailboxes. The /usr/local/psa/admin/sbin/mchk --with-spam does´t fix the problem.
If we change the password of one of the crashed mailbox, it works until the /usr/local/psa/admin/sbin/mchk command is executed.
If we try to clear a new mailbox in one of the domains that doesn't work, we adquire the error "mailmng-outgoing failed"...
I installed the Google Authenticator extension, and the inevitable happened: my phone died.So now I am left without access to the Plesk panel.How can I disable the authentication in the SQL database, so I can login again?
We are currently running ColdFusion 9 on an Apache server. After running a Webinspect scan for one of our web applications, a weak cipher vulnerability was flagged as critical. Their recommended change to the httpd.conf file is listed below. We made the change and restarted our server but the same vulnerability came up again. How to eliminate the weak cipher vulnerability?
We have set up a site for a customer anyone goes to view the sites an a default authentication pop up appears, and the only way to view the website is to type in the customers Cpanel Login details.
I've checked the IUSR, IWPD permissions and they are correct. and check the authentication modules and level in IIS and they seems to be correct.
Is there away to set a customers permissions to the default settings?
I have accidentally deleted httpdocs folder. But after that I create It manually and upload my website. Now It is showing 'Authentication Required' whenever I want to open my site through browser.
Plesk Panel, 11.0.9, #61, Windows 2008 R2 SP1, x64
PROBLEM: With reports configured to send out to an email address local on the Windows server configured through PLESK, if local relay isn't enabled at 127.0.0.1 on the SmarterMail server, the reports are never delivered.
- server is [domainx].com - email to receive reports from PLESK is plesk444@[domainx].com -this email address is able to send and receive internally or externally to and from any client w/ SMTP auth enabled.
If SmarterMail is configured with SMTP Authentication Bypass for 127.0.0.1, we get the scheduled report emails as we should. Without the SMTP Authentication Bypass enabled, none of the clients or administrators get any reports or notifications at all.
QUESTION: How can I configure PLESK Panel 11 itself to use that SMTP Authentication to send those reports out? --is there a configuration file or registry value I can add or modify?
I've got a buddy who wants to host a website with some questionable content. Nothing on the website will be illegal but wants to remain completely anonymous.
Has anyone here ever used www.katzglobal.com, or can anyone recomend this grade of hosting?
about anonymous hosting/domain registration. I've been a web developer for a while and just started building a site for a friend of mine overseas. He wants everything to be completely anonymous due to the nature of the site (steroids).
Now I'm pretty sure I got it figured out but it seems too easy. Offshore domain registration with a prepaid card/ offshore web hosting the same way. My guy says he wants everything as anonymous as possible and is already hooked up to the Tor network with Privoxy.
We have more than 10 domains on the same webspace, sharing the same document root. When we try to add a new domain on the same web space (sharing the same document root) Plesk takes a long time to create it (about 10 minutes). While domain creation, all the other domains sharing the same document root and web space get an authentication error. When Plesk finishes, all domains work again.
This security flaw came to light at the end of October and I didn't find it posted already so thought it worth mentioning having tested the helpdesks for some sites that we use and found them to be at risk. D
etails and a demo exploit URL can be found at url]
For anyone who doesn't know, XSS flaws that allow execution of arbitrary javascript can be exploited easily and without user knowledge to obtain information such as login details or session IDs. This could happen in various ways, including visiting an unrelated page with a simple URL that redirects to the vulnerable URL and then back again. Tools such as NoScript for FireFox may help protect against this on the client side.
In order to run commands from the /scripts folder. This is especially dangerous as a user can give an account reseller priviledge with full root access.
Because webshell.cgi is running with the uid/gid of apache, it can access all files which can be access with apache. And guess what.... the /scripts folder is one of them.
Because it's a CGI script, it doesn't seem as though there is an easy way to block this.
A client of mine contacted me to do some changes in his website that's being hosted with Godaddy (it was not me who did the previous works, I'm trying first time a site hosted with Godaddy).
So I tried to enter the site thro' my SmartFTP, but the moment I hit enter after filling up the address, login and password, the login and password fields turn greyish, and the address gets changed to 'domain name - anonymous'.
I get a small remote browser like I get in case of other wesites, but I get something empty in this case. I don't see any files of the website present in that browser.
I am building a website which require a data feed from a third party data provider. I have to fill out a 'questionair' when submitting my application and I'm not sure what to put for this questions.
Question: "Have you run a vulnerability assessment of network security? What is the current assessment rating?"
I Google'd for security rating but came up blank, without any useful result. Is there a level like 1-5 or something for network security rating? I m not sure what to put on here.
I'm not against getting a shared/virtual hosting account if the a host could provide me with these ratings.
Everytime a new account is created in WHM/cPanel, the "Allow Annonymous Access for FTP" option is enabled by default. Since this is something I want turned off for all new accounts... does anyone know a way of switching this off globally in cPanel/WHM so that every new account will have this turned off by default?
I am running apache currently on my QNAP server, and have enabled webserver and LDAP. We have set up users on LDAP. I have created a landing page for access from the internet. I want to configure Apache to authenticate the users using LDAP before granting access to the landing directory.
I have started this with the apache configuration below: My apache config file -
When I access my page, I get the authentication prompt. But when I enter my LDAP login and password, I get thrown out of the system with the error:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, admin@NAS and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Looks like my apache configuration is a problem as I am able access my LDAP and everything with LDAP seems to be working fine except Apache configuration to authenticate against LDAP.