A critical vulnerability (with the internal ID PFSI-62465) was identified and fixed in Plesk a long time ago. Complete information about exploiting this vulnerability are going to be disclosed publicly.
Vulnerable Plesk versions: from 17.0 to 18.0.31. These are unsupported versions in Plesk, for which hotfixes are no longer released.
All supported versions of Plesk are immune. If you use one of them, there is no any impact for you.
Otherwise, in case your Plesk instance is vulnerable (you are running Plesk 17.0 to 18.0.31), a malicious subscription owner (customer or additional user) can fully compromise the server if an admin visits a certain page in Plesk related to the malicious subscription.
Call to action
Keep your Plesk instances up-to-date.
Warning: Please do not apply patch if you are not running the latest Plesk Onyx microupdates (Version 17.0.17 Update #86, Version 17.5.3 Update #98, Version 17.8.11 Update #95) - such situation may occur on OSes that have reached their EOL (e.g. Ubuntu 14.04, Debian 8, CentOS 6) before microupdates were applied.
If, for some reason, you absolutely must use any of the unsupported Plesk versions listed below, patch vulnerable servers manually. Please follow the instructions below for the corresponding patches:
Plesk for Linux
Connect to the server via SSH.
Download the archive for corresponding version:
3.1. Copy the link that contains your Plesk version from the list below:
3.2 Download the archive using
wget <copied link>command, e.g. for Plesk 18.0.31:
# wget https://plesk.zendesk.com/hc/article_attachments/7226932682514/plesk-18.0.31.zip
3.3 Unzip the downloaded file using
unzip <link text>command with link text taken from 3.1, e.g. for Plesk 18.0.31:
# unzip plesk-18.0.31.zip
Back up the file:
# cp /usr/local/psa/admin/plib/Smb/View/Web/SiteRenderer.php /usr/local/psa/admin/plib/Smb/View/Web/SiteRenderer.php.bk
Substitute the file with the downloaded one:
# mv SiteRenderer.php /usr/local/psa/admin/plib/Smb/View/Web/SiteRenderer.php
Plesk for Windows
Connect to the server via RDP.
Download the archive for corresponding version using links below and unzip it:
Back up the
%plesk_dir%adminplibSmbViewWebSiteRenderer.phpfile with the one from the downloaded archive.