Search

Language:  
Search for:

Available article translations:

[FIX] Older Plesk Versions - Remote vulnerability in Plesk Panel (CVE-2012-1557)

Article ID: 113321, created on Feb 15, 2012, last review on Aug 12, 2014

APPLIES TO:
  • Plesk 10.3 for Linux/Unix
  • Plesk 10.2 for Linux/Unix
  • Plesk 10.1 for Linux/Unix
  • Plesk 10.0.x for Linux/Unix
  • Plesk 9.x for Linux/Unix
  • Plesk 8.x for Linux/Unix
  • Plesk 7.5.x Reloaded
  • Plesk 7.1.x Reloaded
  • Plesk 7.0.x
  • Plesk 10.3 for Windows
  • Plesk 10.2 for Windows
  • Plesk 10.1 for Windows
  • Plesk 10.0.x for Windows
  • Plesk 9.x for Windows
  • Plesk 8.x for Windows
  • Plesk 7.x for Windows

Disclaimer

This article is created in order to provide the most explicit information in regards to a Plesk Panel remote security vulnerability (CVE-2012-1557). 

Background Information

An anonymous attacker can remotely compromise Plesk server.

Affected Versions

Plesk versions that were affected by the vulnerability:

  • Plesk for Linux / Windows 7.x
  • Plesk for Linux / Windows 8.x
  • Plesk for Linux / Windows 9.x
  • Plesk for Linux / Windows 10.0 - 10.3.1

Parallels takes the security of our Partners very seriously and encourages you to take actions recommended below as soon as possible.
Parallels understands that it may not be plausible at this time to perform a full upgrade to the latest release of Parallels Plesk Panel 11 which is not affected, thus there was a set of Micro-Updates released for each major version affected which will resolve the security issue without the necessity of a system upgrade. 

Server Vulnerability Check

In order to check whether your server is subjected to the security vulnerability announced previously please refer to the article that describes the script created by Plesk Service Team to automate the verification procedure:

  • 113424 How to make sure if your Plesk Panel 8.x, 9.x, 10.0, 10.1, 10.2 or 10.3 is not vulnerable

Server Vulnerability Fix

If your server is vulnerable, make sure that one of the following Micro-Updates applied immediately:
 

Plesk Version Windows Linux
  Custom Fix Micro-Update Custom Fix Micro-Update
Plesk 8.1 KB112303 - KB113313 -
Plesk 8.2 KB112303 - KB113313 -
Plesk 8.3 KB112303 - KB113313 -
Plesk 8.4 KB112303 - KB113313 -
Plesk 8.6.0 KB112303 - - 8.6.0 MU#2
Plesk 9.0 KB112303 - KB113313 -
Plesk 9.2.x KB112303 - KB113313 -
Plesk 9.3 KB112303 - KB113313 -
Plesk 9.5 KB112303 9.5.5 MU#1 - 9.5.4 MU#11
Plesk 10.0.x KB112303 10.0.1 MU#13 KB113313 10.0.1 MU#13
Plesk 10.1 KB112303 10.1.1 MU#22 KB113313 10.1.1 MU#22
Plesk 10.2 KB112303 10.2.0 MU#16 KB113313 10.2.0 MU#16
Plesk 10.3.1 - 10.3.1 MU#5 - 10.3.1 MU#5

 

The complete guide for applying Microupdates you can find on the following link: 
  • 9294 Using Microupdates in Parallels Plesk Panel 8.6, 9.5.x, 10.x and Parallels Small Business Panel

Plesk for Virtuozzo Specific

If your Plesk installation runs inside Parallels Virtuozzo Containers virtual environment, Micro-Updates or updated PVC templates should be installed using the following guide:

  • 113441 How to install the latest Microupdates for Parallels Plesk Panel to a PVC Linux container
  • 113407 New PVC templates for Plesk 8.6.0, 9.5, 10.0, 10.1, 10.2 Windows and regular distribution kit for Plesk 8.6.0 and 9.5.5 Windows versions with included security fixes
  • 7110 Microupdates are not applied automatically if Parallels Panel for Linux is installed inside Containers by means of Virtuozzo template

Best Practices

In order to be on a safe side we recommend that you secure your server and your customers' subscriptions by resetting passwords for all Plesk accounts using the script from Plesk Service Team: 

  • 113391 Plesk Mass Password Reset Script
AFTER MASS PASSWORDS CHANGING YOU MUST REMOVE ALL RECORDS FROM 'sessions' TABLE OF psa DATABASE WITH NEW VERSION OF MASS PASSWORD RESET SCRIPT:
# php -d open_basedir= -d safe_mode=0 plesk_password_changer.php `cat /etc/psa/.psa.shadow` --clean-up-sessions

If you have a Plesk 8.x or Plesk 9.x server we recommend to migrate it to Plesk 11. Plesk Panel 11 does not have this security vulnerability. 
NOTE that a migration should be performed, not an upgrade, because the migration process can be easily rolled back. 
Moreover, during migration the source Parallels Plesk Panel server continues working along with sites registered in it, while an upgrade could cause downtime of services. 

Additional information

If a corresponding Micro-Update or Custom Fix was installed on your server it will fix the security issue on your server.

We hope that this information will help you to secure data on your server from the malicious attacks.




56797cefb1efc9130f7c48a7d1db0f0c aa571057eefb4e790d223bad9e05ace1 a914db3fdc7a53ddcfd1b2db8f5a1b9c 29d1e90fd304f01e6420fbe60f66f838 c45acecf540ecd42a4bbfb242ce02b1d 85a92ca67f2200d36506862eaa6ed6b8 097728dc0a325f6309aa7a3997d4cacc 6ef0db7f1685482449634a455d77d3f4 9e077d0ffcd7a88f7d9f0646d5e70ec5 c796c01d6951fa24ed54c7f1111667c6 df2db7f3302fe384002b885ca84f1a2f f2d85fccc955a226f0b30e58456170cb d3cd9f1770da96e5b5046d20def9f8eb b8ef5052d936e902043e41759118114e c0c38d2367acfa8909699e0b34b01dea f4ce8084cb23619ef5fe9428ecc388ea dd0611b6086474193d9bf78e2b293040 d3c493291d6d9f66837ac7495dfea9ca 54579744b69fb80c0c96c212e7a96aa0 b21de1858ad3ec50d5613195a77434ab aac4a8fcd879de03758354e15495d69a def31538ba607bde27398f48ab5956be

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Server Virtualization
- Odin Cloud Server
- Odin Containers for Windows 6.0
- Odin Virtuozzo Containers
Automation
- Odin Automation
- Odin Automation for Cloud Infrastructure
- Odin Business Automation Standard
- Odin Virtual Automation
- Odin Plesk Panel Suite
- Web Presence Builder
- Odin Plesk Automation
- Odin Small Business Panel
- Value-added Services for Hosters
- Odin Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification