Published zero-day exploit to attack the system with Plesk control panel
More than 360,000 Apache websites imperiled by critical Plesk vulnerability
Publicly available attack code exploits remote-code bug in Plesk admin panel and allows execution of arbitrary code on the web-servers that are running Plesk (the web hosting control panel).
The problem is tested on systems with Plesk 8.6, 9.0, 9.2, 9.3 and 9.5.4 running under Linux and FreeBSD (other systems have not been tested and may also vulnerable). The vulnerability remains unpatched. According to preliminary estimates, the Web is about 360,000 potentially vulnerable servers on which the panel is installed Plesk.
Exploit code has been posted on seclist.org man nick Kingcope at http://seclists.org/fulldisclosure/2013/Jun/21
The vulnerability is caused by incorrect configuration of Apache, allowing to directly apply to any application that is hosted in the directory / usr / bin. Presented exploit demonstrates the appeal to the CLI-version installed on the system interpreter PHP. By overriding control restrictions configuration PHP, it becomes possible to execute arbitrary external PHP-Script with the rights of http-server Apache.
Parallels company has not officially responded to the vulnerability of temporary protection for the developer recommends that you remove the exploit of the Apache configuration established with Plesk string ‘scrptAlias / phppath / “/ usr / bin /”‘, which is the source of the problem.