Hi,
Situation
Vulnerability CVE-2020-13166 was discovered in myLittleAdmin: https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/
Impact
If myLittleAdmin is installed, an unauthenticated remote attacker can run arbitrary code on behalf of IUSRPLESK_sqladmin.
Call to Action
Remove myLittleAdmin from Plesk:
- Log in to Plesk
- Go to Tools & Settings > Updates > Add/Remove components and uncheck myLittleAdmin:
- Click Continue
As an alternative, to manage MS SQL databases it is recommended to use Microsoft SQL Management studio.
Note: Unlikely software vendor will issue any security patches/updates to address this vulnerability.
We are going to remove the ability to install this vulnerable software using Plesk soon.
OR
-
Connect to the server via RDP
-
Delete the following lines from
%PLESK_DIR%\MyLittleAdmin\web.config
:<machineKey
validationKey="5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF"
decryptionKey="DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4"
validation="SHA1" />