Posts filed under 'Plesk'
In Plesk, you can disable on a per-domain basis PHP’s safe_mode. Before doing this though, be advised that disabling safe_mode could lead to security risks for all of your domains on the server.
On the following steps, replace to your domain as needed.
To configure safe_mode usage, edit or create the file:
/home/httpd/vhosts/<domain-name>/conf/vhost.conf
The contents of the file should be something like:
<Directory /var/www/vhosts/<domain-name>/httpdocs>
Options +FollowSymLinks
<IfModule sapi_apache2.c>
php_admin_flag safe_mode Off
</IfModule>
</Directory>
Note that you can not edit /home/httpd/vhosts//conf/httpd.include as it overwritten by Plesk so all your changes would be lost if put there.
For the changes to take effect, you need to run the following:
/usr/local/psa/admin/sbin/websrvmng --reconfigure-vhost --vhost-name=<domain_name>
And then, reload Apache’s configuration with:
service httpd reload
Tested under Plesk 7.5.4.
January 17th, 2007
If you need to password protect a directory that is hosted under a subdomain with Plesk, you’ll find that it is not quite as easy as protecting a directory that is avaliable directly from the main domain.
Here is what I did as a workaround:
Step One
Create a fake password protected directory on the main domain (domain -> Directories -> Add New Direcotry) with something that does not exist on the domain and can be easily identified, for example s-sample.
Step Two
Create the necessary users for that protected directory from within Plesk.
Step Three
Open your domain’s base httpd configuration file, which will be on /var/www/vhosts/(domain)/conf/httpd.include
and loook for a line that contains
<Directory "/var/www/vhosts/(domain)/httpdocs/s-sample">
Copy the lines between <Directory> and </Directory>, it should be something like:
AuthType Basic
AuthName "Restricted"
AuthUserFile /var/www/vhosts/(domain)/pd/d..s-sample
require valid-user
Step Four
Create the .htaccess file using the text from step three, and place it on the directory that you wish to protect on the subdomain.
Done!
If everything went fine, now your browser should request a user name and password, as provided from Plesk’s interface.
The provided solution was used with Plesk 7.5.4 for Linux.
September 16th, 2006
Running a check on Apache’s default logs (/var/log/httpd/access_log), I found attempts to exploit the server thru a “backdoor” in Horde.
I haven’t fully checked what could be done with this exploit but certainly leaving the affected script unprotected is an open invitation for trouble.
To check it, just request the following to any webmail domain on your server (the following check if completely harmless as it will only run uname -a and show it’s results on the browser):
http://webmail.yourserver.com///horde//services/help/index.php?show=about&module=;%22.passthru(%22uname%20-a%22);’.
With some imagination and careful URL encoding, you can get commands to be executed under Apache’s account and privileges.
What I’ve done until further investigation is performed, is to modify the affected script so that nothing happens when the script is called (so far seems like the only downside is Horde’s Help system not working).
The affected script is index.php, located at /usr/share/psa-horde/services/help.
For some debugging, I’ve included the following code right before Horde’s code:
<?php
$request = print_r($_REQUEST, true);
$server = print_r($_SERVER, true);
mail("youremailaddress@example.com", "HORDE BOGUS REQUEST ".date("r"), "Requestn".$request."Servern$server", "From: "Server" <youremailaddress@example.com>");
die();
?>
That will send you by email any requests with headers to the script, be those legitimate or attempts to exploit your server.
I will update the topic as soon as I have time to correct the script.
This was verified with psa-horde-3.0.5-rhel4.build75050824.12.
UPDATE: The problem is solved on Plesk’s 7.5.4 build 75060413.12, which includes psa-horde-3.1.1-rhel4.build75060413.11.
August 13th, 2006