Overview
By default, Plesk Panel 12 allows utilities or scripts to be run on behalf of root in two cases:
- Scheduling tasks with the cron manager
- Handling events with the Event Manager tool
This makes Panel server potentially vulnerable to malicious software.
Instructions
To eliminate these vulnerabilities, create the following files and leave them empty:
$PRODUCT_ROOT_D/var/root.crontab.lock
prevents users from running cron tasks and viewing the list of tasks scheduled on behalf of root.
$PRODUCT_ROOT_D/var/root.event.handler.lock
prevents users from creating event handlers functioning on behalf of root.
The $PRODUCT_ROOT_D is /usr/local/psa for RPM-based systems (RHEL / CentOS) or /opt/psa on DEB-based systems (Debian / Ubuntu).