Search

Language:  
Search for:

Available article translations:

Parallels Plesk Panel: phppath/PHP vulnerability

APPLIES TO:
  • Parallels Small Business Panel 10.x for Linux/Unix
  • Parallels Plesk 9.2 for Linux/Unix
  • Parallels Plesk 9.0 for Linux/Unix
  • Ubuntu and Debian Linux Servers that were upgraded directly from 9.0 or 9.2 to 10.x or 11.x (and that skipped a sequential upgrade to 9.5x)   
NOTE: The upgrade risk does not apply to servers that sequentially upgraded to 9.5x (or later, from 9.5x to 10.x or 11.x) or servers running versions of Linux that are not Ubuntu or Debian.

Information

The exploit [1] for this vulnerability uses a combination of these two issues:

- PHP vulnerability CVE-2012-1823 related to CGI mode used in older Plesk versions (http://kb.sp.parallels.com/en/113818)
- Plesk phppath script alias usage in Plesk versions 9.0 to 9.2

Impact

A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition, or execute arbitrary code with the privileges of the web server.

Parallels Products Impacted

Only Parallels Plesk Panel versions 9.0 through 9.2.3 and Parallels Small Business Panel 10.x versions on the Linux platform are impacted. These represent less than 4 percent of all Plesk Panel licenses, and these versions are end-of-life and unsupported (they were superseded by 9.5.4, a direct upgrade that has been available for more than three years).

Also impacted are Ubuntu and Debian versions 10.x and 11.x that were previously upgraded from 9.0 to 9.2.3, but were not sequentially upgraded to Plesk Panel 9.5x. Note that Plesk Panel 9.5x servers are never impacted. No servers that were sequentially upgraded through 9.5x are impacted.

Server Vulnerability Check

To check whether your server is subject to the security vulnerability, you can use the attached script, checker.sh:
# wget http://kb.sp.parallels.com/Attachments/25053/Attachments/checker.sh
# bash checker.sh

Look at the script output for the conclusion.

If your Parallels Plesk Panel version is not 9.0 or 9.2 and the checker reports that your server is vulnerable, please contact Parallels Technical Support.

Resolution

Customers on Plesk Panel 9.0 through 9.2.3 should do the following:

•    Upgrade to the latest version of Plesk. Plesk 11 has been available for one year now. Plesk 11.5 has many improvements and will be available on June 13. At the very least, update to Plesk Panel 9.5.4 (will be end-of-life soon), which has a special PHP wrapper protecting it from the PHP issue, along with a solution that avoids the phppath attack vector.

•    Update PHP to protect against the CVE-2012-1823 vulnerability (see http://kb.sp.parallels.com/en/113818).

•    Parallels has prepared a script for automatic updating of the server, if a Plesk Panel update is not possible. 

Note: Before applying following solution, make sure to install latest micro-updates on the server using instructions from article #9294.

Download the archived script, wrapper.zipfrom the attachment on the server with Parallels Plesk Panel for Linux 9.0 to 9.2.3 or Parallels Small Business Panel for Linux 10.x.

Extract the archive and execute the script:
# wget http://kb.sp.parallels.com/Attachments/25053/Attachments/wrapper.zip
# unzip wrapper.zip
# cd wrapper
# bash install.sh

No currently supported versions of Parallels Plesk Panel 9.5.4, 10.x, or 11.x, or Parallels Plesk Automation, are vulnerable. Also, Plesk 8.x (now end-of-life) is not vulnerable.

If a customer is using legacy and no longer has a supported version of Parallels Plesk Panel, they should upgrade to the latest version.

Parallels reminds Plesk users that timely updates of your operating system, as well as updates of Plesk itself, are very important and are required for your system's security.

Note: The following MUs deliver the fix for Ubuntu and Debian Linux Servers that were upgraded directly from 9.0 or 9.2 to 10.x or 11.x

Links:
1. http://seclists.org/fulldisclosure/2013/Jun/21


Attachments:


c81e59b61af9dca603ba03b14aabe968 56797cefb1efc9130f7c48a7d1db0f0c 5b3062eb55e955d8ca8051339fb09f69 9f8baf78266b4e54525d1c6bf06305a5 12c6f6bd6775cb701defb57d79fe96f6 8d9286f5cc87aae919f2a1703e913854 1e781da54ba3518b611f6f66e6acd667

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Desktop Virtualization
- Parallels Desktop 9 for Mac
- Parallels Transporter
- Parallels Desktop Switch to Mac Edition
- Parallels Desktop for Mac Enterprise Edition
- Parallels Management-Mac for Microsoft SCCM
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0 Beta
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification