THIS ARTICLE WAS LAST UPDATED ON MAY 14 AT 20:30 GMTPOA 5.3 Update 11, which fixes this vulnerability, has been released.
POA 5.2 Update 15, which fixes this vulnerability, has been released.
IntroductionOn May 3rd, 2012, the PHP-CGI remote code execution vulnerability was disclosed to the general public. This is a Critical Vulnerability affecting all software that contains PHP-CGI.
This vulnerability affects PHP 5 scripts only on websites based on the following Parallels Operations Automation (POA) modules:
- Linux Shared Hosting
- NG Shared Hosting
- PBA, the PBA store, and the POA control panel itself are not affected, as they run PHP using mod_php by default.
- PHP 4 scripts are not vulnerable.
- PHP-FastCGI is not vulnerable to this exploit.
- PHP 5 on Windows Shared Hosting is not used in PHP-CGI mode.
SymptomsPHP-CGI installations are vulnerable to remote code execution. The vulnerability can only be exploited if the HTTP server follows a fairly obscure part of the CGI spec. In particular, this concerns the Apache webserver, and some others.
CauseA critical flaw was discovered in PHP (CVE-2012-1823) which allows someone to get the PHP script source code and potentially trigger a remote code execution in some cases (there is no publicly available PoC):
The official patch given on this page still does not resolve the issue entirely.
How to verify if website is vulnerableIn a browser, add "?-s" to the website URL with some existing PHP script, such as in the following example:
If the site is vulnerable, a source code for page.php will be listed in the browser. Otherwise, the proper script execution output will be listed.
Customers with POA 5.2 installed have to install POA 5.2 Update 15. The update will fix the vulnerability and overwrite previously installed workarounds.
Customers with POA 5.3 installed have to install POA 5.3 Update 11. The update will fix the vulnerability and overwrite previously installed workarounds.
Linux Shared Hosting NGThe servers that provide NG Shared Hosting have to be updated from the CloudLinux Network. The new versions of PHP RPMs contain a fix for the specific vulnerability and will overwrite previously installed workarounds.
Additional informationParallels Plesk Panel websites and the product itself are not affected by the PHP-CGI remote code execution vulnerability, except for Parallels Plesk Panel versions 9.0.1 – 9.2.3, in cases where PHP was manually updated to version 5.2 or 5.3. For more information, refer to the following article:
113818 PHP-CGI remote code execution vulnerability (CVE-2012-1823) in Parallels Plesk Panel