- Ubuntu and Debian Linux Servers that were upgraded directly from 9.0 or 9.2 to 10.x or 11.x (and that skipped a sequential upgrade to 9.5x)
The exploit  for this vulnerability uses a combination of these two issues:
- PHP vulnerability CVE-2012-1823 related to CGI mode used in older Plesk versions (http://kb.parallels.com/en/113818)
- Plesk phppath script alias usage in Plesk versions 9.0 to 9.2
A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition, or execute arbitrary code with the privileges of the web server.
Parallels Products Impacted
Only Parallels Plesk Panel versions 9.0 through 9.2.3 and Parallels Small Business Panel 10.x versions on the Linux platform are impacted. These represent less than 4 percent of all Plesk Panel licenses, and these versions are end-of-life and unsupported (they were superseded by 9.5.4, a direct upgrade that has been available for more than three years).
Also impacted are Ubuntu and Debian versions 10.x and 11.x that were previously upgraded from 9.0 to 9.2.3, but were not sequentially upgraded to Plesk Panel 9.5x. Note that Plesk Panel 9.5x servers are never impacted. No servers that were sequentially upgraded through 9.5x are impacted.
Server Vulnerability Check
To check whether your server is subject to the security vulnerability, you can use the attached script, checker.sh:
# wget http://kb.parallels.com/Attachments/25053/Attachments/checker.sh
# bash checker.sh
Look at the script output for the conclusion.
If your Parallels Plesk Panel version is not 9.0 or 9.2 and the checker reports that your server is vulnerable, please contact Parallels Technical Support.
Customers on Plesk Panel 9.0 through 9.2.3 should do the following:
• Upgrade to the latest version of Plesk. Plesk 11 has been available for one year now. Plesk 11.5 has many improvements and will be available on June 13. At the very least, update to Plesk Panel 9.5.4 (will be end-of-life soon), which has a special PHP wrapper protecting it from the PHP issue, along with a solution that avoids the phppath attack vector.
• Update PHP to protect against the CVE-2012-1823 vulnerability (see http://kb.parallels.com/en/113818).
• Parallels has prepared a script for automatic updating of the server, if a Plesk Panel update is not possible.
Note: Before applying following solution, make sure to install latest micro-updates on the server using instructions from article #9294.
Download the archived script, wrapper.zip, from the attachment on the server with Parallels Plesk Panel for Linux 9.0 to 9.2.3 or Parallels Small Business Panel for Linux 10.x.
Extract the archive and execute the script:
# wget http://kb.parallels.com/Attachments/25053/Attachments/wrapper.zip
# unzip wrapper.zip
# cd wrapper
# bash install.sh
No currently supported versions of Parallels Plesk Panel 9.5.4, 10.x, or 11.x, or Parallels Plesk Automation, are vulnerable. Also, Plesk 8.x (now end-of-life) is not vulnerable.
If a customer is using legacy and no longer has a supported version of Parallels Plesk Panel, they should upgrade to the latest version.
Note: The following MUs deliver the fix for Ubuntu and Debian Linux Servers that were upgraded directly from 9.0 or 9.2 to 10.x or 11.x