plesk vuln to new horde exploit...

The version of plesk that we run is 7.5.4 reloaded. I noticed it was vuln to the horde (webmail) exploit that was released today. Plesk hasn't released a patch as of yet, so I made my own untill they issue one. They told me one should be issued sometime next week if the developers thought one was needed. Here's is a temp patch I made this morning.

Add the following lines of code to the index.php file located in
/usr/share/psa-horde/services/help.

add it after

$topic = Util::getFormData('topic');

and before

if ($module == 'admin') {

After a patch is issued by plesk remove the code then update.

$good_module = $module;
$bad_chars = array
(
"';'",
"'\''",
);
$replace = array
(
" "
);
$good_module = preg_replace ($search, $replace, $good_module);

$module = $good_module;

cheers,
freebsdmike

 

 

 

 

Top