Search

Language:  
Search for:

Available article translations:

Parallels Plesk Panel: PHP-CGI remote code execution vulnerability (CVE-2012-1823)

APPLIES TO:
  • Parallels Plesk 9.2 for Linux/Unix
  • Parallels Plesk 9.0 for Linux/Unix

Information

On May 3rd, 2012, PHP-CGI remote code execution vulnerability was disclosed to the general public (CVE-2012-1823).
This is a Critical Vulnerability affecting software that contains PHP-CGI.
PHP-FastCGI is not vulnerable to this exploit.

Parallels Plesk Panel (PP) for Windows versions 10.4 and earlier versions are NOT affected.

PP for Linux versions 9.3 - 10.4 are NOT affected by the PHP-CGI remote code execution vulnerability due to their use of the special cgi_wrapper script.
PP for Linux versions 8.6 and earlier versions are NOT affected due to their use of mod_php only.

PP for Linux versions 9.0 - 9.2.3 might be vulnerable.

Resolution

To fix this issue on PP for Linux 9.0 - 9.2.3, apply one of the following workarounds:

1. It is strongly recommended that you update PP to the latest version that is not vulnerable.

Parallels's End of Life policy is available here: http://sp.parallels.com/products/plesk/lifecycle

2. CGI wrapper is the recommended way to work around the issue if a PP update is not possible.

Parallels has prepared a script for automatic updating the server with the wrapper.
Download the archived script cve-2012-1823-wa_pp.tgz from the attachment on the server with Parallels Plesk Panel for Linux 9.0 - 9.2.3.
Extract it from the archive and execute it:

# wget http://kb.sp.parallels.com/Attachments/20000/Attachments/cve-2012-1823-wa_pp.tgz
# tar xfz cve-2012-1823-wa_pp.tgz
# cd cve-2012-1823-wa_pp
# bash setup.sh

3.  It is also possible to work around the problem with .htaccess rules for each website.

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]

This workaround requires such configuration to be applied per webspace, which makes it complicated when thousands of webspaces are hosted.

Additional information

Note that this vulnerability affects websites created with the help of Parallels Operations Automation. For more details, read the following article:

113814 PHP-CGI remote code execution vulnerability (CVE-2012-1823) in Parallels Automation



Attachments:


56797cefb1efc9130f7c48a7d1db0f0c 8d9286f5cc87aae919f2a1703e913854 c81e59b61af9dca603ba03b14aabe968 9f8baf78266b4e54525d1c6bf06305a5 12c6f6bd6775cb701defb57d79fe96f6 5b3062eb55e955d8ca8051339fb09f69

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification