Applicable to:
- Plesk for Linux
- Plesk for Windows
Situation
A critical vulnerability (with the internal ID PFSI-62465) was identified and fixed in Plesk a long time ago. Complete information about exploiting this vulnerability are going to be disclosed publicly.
Vulnerable Plesk versions: from 17.0 to 18.0.31. These are unsupported versions in Plesk, for which hotfixes are no longer released.
Impact
All supported versions of Plesk are immune. If you use one of them, there is no any impact for you.
Otherwise, in case your Plesk instance is vulnerable (you are running Plesk 17.0 to 18.0.31), a malicious subscription owner (customer or additional user) can fully compromise the server if an admin visits a certain page in Plesk related to the malicious subscription.
Call to action
Keep your Plesk instances up-to-date.
Warning: Please do not apply patch if you are not running the latest Plesk Onyx microupdates (Version 17.0.17 Update #86, Version 17.5.3 Update #98, Version 17.8.11 Update #95) - such situation may occur on OSes that have reached their EOL (e.g. Ubuntu 14.04, Debian 8, CentOS 6) before microupdates were applied.
If, for some reason, you absolutely must use any of the unsupported Plesk versions listed below, patch vulnerable servers manually. Please follow the instructions below for the corresponding patches:
-
Connect to the server via SSH.
-
Download the archive for corresponding version:
3.1. Copy the link that contains your Plesk version from the list below:
- plesk-18.0.31.zip
- plesk-18.0.30.zip
- plesk-18.0.29.zip
- plesk-18.0.28.zip
- plesk-18.0.27.zip
- plesk-18.0.26.zip
- plesk-18.0.25.zip
- plesk-18.0.24.zip
- plesk-18.0.23.zip
- plesk-18.0.21.zip
- plesk-18.0.20.zip
- plesk-18.0.19.zip
- plesk-17.8.zip
- plesk-17.5.zip
- plesk-17.0.zip
3.2 Download the archive using
wget <copied link>command, e.g. for Plesk 18.0.31:# wget https://plesk.zendesk.com/hc/article_attachments/7226932682514/plesk-18.0.31.zip
3.3 Unzip the downloaded file using
unzip <link text>command with link text taken from 3.1, e.g. for Plesk 18.0.31:# unzip plesk-18.0.31.zip
-
Back up the file:
# cp /usr/local/psa/admin/plib/Smb/View/Web/SiteRenderer.php /usr/local/psa/admin/plib/Smb/View/Web/SiteRenderer.php.bk
-
Substitute the file with the downloaded one:
# mv SiteRenderer.php /usr/local/psa/admin/plib/Smb/View/Web/SiteRenderer.php
-
Connect to the server via RDP.
-
Download the archive for corresponding version using links below and unzip it:
-
Back up the
%plesk_dir%admin\plib\Smb\View\Web\SiteRenderer.phpfile. -
Substitute the
%plesk_dir%admin\plib\Smb\View\Web\SiteRenderer.phpfile with the one from the downloaded archive.
Comments
15 comments
Thank you for this. A lot of customers refuse to migrate to newer systems. So thank you for not leaving them in the dark.
We will urge them once again to migrate. Not only because of the risks, but also because of better support (Plesk) and more features like higher PHP versions.
Same error here:
Product version: Plesk Onyx 17.8.11 Update #53
Update date: 2021/11/11 23:26
Build date: 2019/04/26 03:53
OS version: Ubuntu 14.04
I tried to apply the update like @Leonid Gukhman said but my Plesk stayed in same version, look:
You already have the latest version of product(s) and all the selected components
installed. Installation will not continue.
@Rocksalt International Pty Ltd
@Harald Littschwager
Please install the latest microupdate (#94): Unable to access Plesk Onyx 17.5.3 or Plesk Onyx 17.8.11: The file /opt/psa/admin/htdocs/application.php is part of Plesk distribution. It cannot be run outside of Plesk environment.
Hi,
same problem here:
OS: Ubuntu 14.04.6 LTS
Plesk Onyx Version 17.8.11 Update #53
"The file /opt/psa/admin/htdocs/application.php is part of Plesk distribution. It cannot be run outside of Plesk environment."
All following actions were without any effect:
- "plesk bin extension --disable traffic-monitor"
- "plesk installer update"
- "plesk installer update --repatch"
- "plask repair installation"
Any ideas or suggestions?
@Leonid: OS-Update is no option ... ;)
Thank you!
When I try to apply the patch (plesk-17.8.zip) to plesk windows with version 17.8.11 Update #53.
I got the error:
The file D:\Program Files (x86)\Parallels\Plesk\admin\htdocs\application.php is part of Plesk distribution. It cannot be run outside of Plesk environment.
Could you please check?
Hi,
are there any updates if the patch can be applied to older versions, that do not have the latest microupdates installed?
Thank you
Warning! This has not been tested, but should work on Plesk Onyx installations with microupdates up to 58 installed:
https://plesk.zendesk.com/hc/article_attachments/7646425586962/plesk.17.8.before.MU58.php.zip
Please let us know the results.
Hi @Henrique Murta. Ubuntu 14.04 has reached its EOL; please consider migrating to a supported OS.
Looks good to me too so far.
Ubuntu 14.04.6 LTS - Plesk Onyx Version 17.8.11 Update #53
Hi everyone, the file plesk.17.8.before.MU58.php.zip worked here, thanks Leonid Gukhman.
Product version: Plesk Onyx 17.8.11 Update #53
Update date: 2021/11/11 23:26
Build date: 2019/04/26 03:53
OS version: Ubuntu 14.04
Same error with linux
Ubuntu 14.04.6 LTS
Plesk Onyx Version 17.8.11 Update #53
The file /opt/psa/admin/htdocs/application.php is part of Plesk distribution. It cannot be run outside of Plesk environment
Seems to work, no unwanted side effects so far...
Plesk Onyx Version 17.8.11 Update #53
Hi,
I applied the security patch.
When i go in a subscription I got the error : "The file /opt/psa/admin/htdocs/application.php is part of Plesk distribution. It cannot be run outside of Plesk environment.".
Here are the details :
OS : Ubuntu 14.04.6 LTS
Produit : Plesk Onyx
Version 17.8.11 Mise à jour n° 53, dernière mise à jour le 5 Fév 2022 06:26
To everyone that applied the patch on a EOLed OS: please restore the file SiteRenderer.php from a backup for now.
We will check if anything can be done to properly apply patch for your installations and update you on Wednesday. I have also added the corresponding warning to the article.
THANK YOU!
It work's
Please sign in to leave a comment.