Fenice
15th March 2007, 08:11 PM
Hello,
I have Plesk 8.1 running on my server. I have always been ultra careful on my systems, taking a multi-layered security approach to protect my work.
Today, I noticed something disconcerting. When I create a website with no access to cgi-bin directory, a ScriptAlias for the website is automatically set to the system-wide cgi-bin. It wouldn't be a problem if the cgi-bin was empty, but it actually contains the awstats directory with the awstats.pl executable - even though you are not using awstats on any of your websites.
I realized this after a few months, and I now fear some malicious users could have used this hole to attack my server, as awstats has been known for being one of the favorite points of entry to the system for hackers and script kiddies.
I want to know from SwSoft what can this hole cause on our system, and why they setup Plesk 8.1 to leave access to the cgi-bin/awstats directory by default.
I have Plesk 8.1 running on my server. I have always been ultra careful on my systems, taking a multi-layered security approach to protect my work.
Today, I noticed something disconcerting. When I create a website with no access to cgi-bin directory, a ScriptAlias for the website is automatically set to the system-wide cgi-bin. It wouldn't be a problem if the cgi-bin was empty, but it actually contains the awstats directory with the awstats.pl executable - even though you are not using awstats on any of your websites.
I realized this after a few months, and I now fear some malicious users could have used this hole to attack my server, as awstats has been known for being one of the favorite points of entry to the system for hackers and script kiddies.
I want to know from SwSoft what can this hole cause on our system, and why they setup Plesk 8.1 to leave access to the cgi-bin/awstats directory by default.