Plesk Zero-Day Remote Exploit

Posted: June 6, 2013 in IT Security News
Tags: , , , ,

Plesk Zero-Day Exploit

Plesk Zero-Day Exploit

Published zero-day exploit to attack the system with Plesk control panel

More than 360,000 Apache websites imperiled by critical Plesk vulnerability

Publicly available attack code exploits remote-code bug in Plesk admin panel and  allows execution of arbitrary code on the web-servers that are running Plesk (the web hosting control panel).

The problem is tested on systems with Plesk 8.6, 9.0, 9.2, 9.3 and 9.5.4 running under Linux and FreeBSD (other systems have not been tested and may also vulnerable). The vulnerability remains unpatched. According to preliminary estimates, the Web is about 360,000 potentially vulnerable servers on which the panel is installed Plesk.

Exploit code has been posted on man nick Kingcope at

The vulnerability is caused by incorrect configuration of Apache, allowing to directly apply to any application that is hosted in the directory / usr / bin. Presented exploit demonstrates the appeal to the CLI-version installed on the system interpreter PHP. By overriding control restrictions configuration PHP, it becomes possible to execute arbitrary external PHP-Script with the rights of http-server Apache.

Parallels company has not officially responded to the vulnerability of temporary protection for the developer recommends that you remove the exploit of the Apache configuration established with Plesk string ‘scrptAlias ​​/ phppath / “/ usr / bin /”‘, which is the source of the problem.


  1. Sergey Gor says:

    The story of the unpatched vulnerability in the Plesk control panel will be continued – reported about the detection of traces of building a botnet, which is used to penetrate this problem is security.

    Placed after the attack, control code and scripts for hacking the new systems are written in Perl and coordinated through the IRC-channel. In the process of studying the behavior of a botnet (access was given to the management server) identified about 900 calls to the vulnerable version of Plesk, the preliminary estimate for the hour of observation was struck about 40 new servers.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s