Symptoms
Some phpMyAdmin files are accessible via the Plesk URL even without being logged in to Plesk:
CONFIG_TEXT: https://plesk.example.com:8443/phpMyAdmin/README
https://plesk.example.com:8443/phpMyAdmin/ChangeLog
Cause
Plesk bug PPPM-13209.
Don't see any sense to make this info public:
Such files as /phpMyAdmin/ChangeLog and /phpMyAdmin/README considered to be static assets.
Any kind of file can be served as static content as long as it does not change in response to a user’s actions or inputs. This includes images, CSS files, videos, and even web pages.
Resolution
Until the bug is fixed, use a workaround:
Connect to the server via SSH and move affected files to any other directory (/root/ can be replaced with any other target directory of choice):
# cd /usr/local/psa/phpMyAdmin/ && mv CONTRIBUTING.md ChangeLog README RELEASE-DATE* babel.config.json composer.json composer.lock package.json /root/
Deny the access to the affected files:
- Connect to the server via SSH.
-
Create a backup of the configuration file:
# cp -a /etc/sw-cp-server/conf.d/phpmyadmin-plesk.inc{,.bak}
-
Open the file
/etc/sw-cp-server/conf.d/phpmyadmin-plesk.incfor editing, add the below directives to it, and save the changes:CONFIG_TEXT: location ~\* /phpMyAdmin/(.*)\.json$ {
allow 127.0.0.1;
deny all;
}
location ~\* /phpMyAdmin/(.*)\.lock$ {
allow 127.0.0.1;
deny all;
}
location ~\* /phpMyAdmin/(CONTRIBUTING\.md|ChangeLog|README|RELEASE-DATE-(.\*))$ {
allow 127.0.0.1;
deny all;
} -
Restart the service
sw-cp-server:# service sw-cp-server restart
Comments
Please sign in to leave a comment.