Applicable to:

 
  • Plesk for Windows

Situation

Vulnerability CVE-2020-13166 was discovered in myLittleAdmin: https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/

Impact

If myLittleAdmin is installed, an unauthenticated remote attacker can run arbitrary code on behalf of IUSRPLESK_sqladmin.

Call to Action

Remove myLittleAdmin from Plesk:

  1. Log in to Plesk
  2. Go to Tools & Settings > Updates > Add/Remove components and uncheck myLittleAdmin:
    sql.JPG
  3. Click Continue

As an alternative, to manage MS SQL databases it is recommended to use Microsoft SQL Management studio.

Note: Unlikely software vendor will issue any security patches/updates to address this vulnerability.
We are going to remove the ability to install this vulnerable software using Plesk soon.

OR

  1. Connect to the server via RDP

  2. Delete the following lines from %PLESK_DIR%\MyLittleAdmin\web.config:

    <machineKey
    validationKey="5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF"
    decryptionKey="DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4"
    validation="SHA1" />