Lunarpages Web Hosting Forum

Author Topic: Parallels Plesk Panel 0-Day vulnerability  (Read 13428 times)

Offline Dragos

  • Intergalactic Superstar
  • *****
  • Posts: 125
    • Lunarpages
Parallels Plesk Panel 0-Day vulnerability
« on: June 11, 2013, 07:41:10 AM »
[Update]: Parallels has issued a statement and another possibility to work around the issue if a Parallels Plesk Panel update is not possible.

A 0-day vulnerability has been publicly posted, vulnerability that affects older versions of the Parallels Plesk software. While this vulnerability does not affect the latest major version of the software, we expect to see a widespread exploitation, due to the age of the affected versions. The internal verification that we performed revealed that all the versions between 9.0 and 9.2.3 for Parallels Plesk Panel are affected by this 0-day vulnerability. Since the Parallels Plesk Panel 9 is no longer supported (End of Life: December 9, 2012 / End of Extended Support: June 9, 2013), we strongly recommend all of our customers (and not only) to upgrade to the latest version of Parallels Plesk Panel.

At the time of this post Parallels Plesk Panel 11.0.9 is considered the latest stable release for both operating systems (Linux/Windows).

If an upgrade to the last stable release could not be performed, there is a workaround that you can use to patch your version of Parallels Plesk Panel if the version that you are using is affected by this vulnerability:

1. Create a separate folder, for example /var/www/vhosts/cgi-bin:
Code: [Select]
mkdir /var/www/vhosts/cgi-bin
2. Create a php-cgi hard-link in the new created folder:
Code: [Select]
ln /usr/bin/php-cgi /var/www/vhosts/cgi-bin/php-cgi
3. Modify the path for the CGI_PHP_BIN variable in /etc/psa/psa.conf :
Code: [Select]
- CGI_PHP_BIN /usr/bin/php-cgi
+ CGI_PHP_BIN /var/www/vhosts/cgi-bin/php-cgi

4. Modify phppath variable in /etc/httpd/conf.d/php_cgi.conf:
Code: [Select]
- ScriptAlias /phppath/ "/usr/bin/"
+ ScriptAlias /phppath/ "/var/www/vhosts/cgi-bin/"

5. Restart the web server.

We are always happy to help our customers with the update of the Parallels Plesk Panel, to the latest stable release. For our managed customers who are subscribed to any one of our 3 Managed Hosting packages, the patch has already been applied at no cost if the version of Plesk that they are running is affected by this vulnerability. If you want to upgrade the Panel version please contact us at to request an upgrade.

If you have any questions regarding this vulnerability or any questions on the update process, please contact us at . We strive to keep our customers secure and informed. If you want to learn more about our managed services please see the link below:
« Last Edit: June 11, 2013, 07:48:34 AM by Dragos »
Dragos Gabriel Fedorovici
System Administrator I - Add2Net Inc., LunarPages Division

Phone: 1-714-521-8150