Overview

By default, Plesk Panel 12 allows utilities or scripts to be run on behalf of root in two cases:

  • Scheduling tasks with the cron manager
  • Handling events with the Event Manager tool

This makes Panel server potentially vulnerable to malicious software.

Upgraded cron functionality was included in the Plesk 12.5 release. If you're still running 12, we highly recommend you upgrade to take advantage of the new functionality.

Instructions

To eliminate these vulnerabilities, create the following files and leave them empty:

$PRODUCT_ROOT_D/var/root.crontab.lock

prevents users from running cron tasks and viewing the list of tasks scheduled on behalf of root.

$PRODUCT_ROOT_D/var/root.event.handler.lock

 prevents users from creating event handlers functioning on behalf of root.

The $PRODUCT_ROOT_D is /usr/local/psa for RPM-based systems (RHEL / CentOS) or /opt/psa on DEB-based systems (Debian / Ubuntu).

Was this article helpful?

Related Articles