Situation
Vulnerability CVE-2020-13166 was discovered in myLittleAdmin: https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/
Impact
If myLittleAdmin is installed, an unauthenticated remote attacker can run arbitrary code on behalf of IUSRPLESK_sqladmin.
Call to Action
Since the vulnerability was discovered in the latest myLittleAdmin version available (see http://mylittleadmin.com/en/history.aspx), consider applying one of the following workarounds:
To continue using MyLittleAdmin:
-
Connect to the server via RDP
-
Delete the following lines from
%PLESK_DIR%MyLittleAdminweb.config:<machineKey
validationKey="5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF"
decryptionKey="DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4"
validation="SHA1" />
Note: the warning message in Plesk GUI will stay as-is even when the code is removed. It can be safely ignored.
If myLittleAdmin is not used:
Remove myLittleAdmin from Plesk:
- Log in to Plesk
- Go to Tools & Settings > Updates > Add/Remove components and uncheck myLittleAdmin:
- Click Continue
As an alternative, to manage MS SQL databases it is recommended to use Microsoft SQL Management studio.