Applicable to:
- Plesk for Windows
Situation
Vulnerability CVE-2020-13166 was discovered in myLittleAdmin: https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/
Impact
If myLittleAdmin is installed, an unauthenticated remote attacker can run arbitrary code on behalf of IUSRPLESK_sqladmin.
Call to Action
Since the vulnerability was discovered in the latest myLittleAdmin version available (see http://mylittleadmin.com/en/history.aspx), consider applying one of the following workarounds:
Click on a section to expand
-
Connect to the server via RDP
-
Delete the following lines from
%PLESK_DIR%\MyLittleAdmin\web.config
:CONFIG_TEXT: <machineKey
validationKey="5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF"
decryptionKey="DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4"
validation="SHA1" />
Note: the warning message in Plesk GUI will stay as-is even when the code is removed. It can be safely ignored.
Remove myLittleAdmin from Plesk:
- Log in to Plesk
- Go to Tools & Settings > Updates > Add/Remove components and uncheck myLittleAdmin:
- Click Continue
As an alternative, to manage MS SQL databases it is recommended to use Microsoft SQL Management studio.
The warning message about Vulnerability will be removed after next daily task execution
Comments
0 comments
Please sign in to leave a comment.