Search

Language:  
Search for:

Available article translations:

[FIX] Older Plesk Versions - Remote vulnerability in Plesk Panel (CVE-2012-1557)

APPLIES TO:
  • Parallels Plesk 10.3 for Linux/Unix
  • Parallels Plesk 10.2 for Linux/Unix
  • Parallels Plesk 10.1 for Linux/Unix
  • Parallels Plesk 10.0.x for Linux/Unix
  • Parallels Plesk 9.x for Linux/Unix
  • Parallels Plesk 8.x for Linux/Unix
  • Plesk 7.5.x Reloaded
  • Plesk 7.1.x Reloaded
  • Plesk 7.0.x
  • Parallels Plesk 10.3 for Windows
  • Parallels Plesk 10.2 for Windows
  • Parallels Plesk 10.1 for Windows
  • Parallels Plesk 10.0.x for Windows
  • Parallels Plesk 9.x for Windows
  • Parallels Plesk 8.x for Windows
  • Plesk 7.x for Windows

Disclaimer

This article is created in order to provide the most explicit information in regards to a Plesk Panel remote security vulnerability (CVE-2012-1557). 

Background Information

An anonymous attacker can remotely compromise Plesk server.

Affected Versions

Plesk versions that were affected by the vulnerability:

  • Plesk for Linux / Windows 7.x
  • Plesk for Linux / Windows 8.x
  • Plesk for Linux / Windows 9.x
  • Plesk for Linux / Windows 10.0 - 10.3.1

Parallels takes the security of our Partners very seriously and encourages you to take actions recommended below as soon as possible.
Parallels understands that it may not be plausible at this time to perform a full upgrade to the latest release of Parallels Plesk Panel 11 which is not affected, thus there was a set of Micro-Updates released for each major version affected which will resolve the security issue without the necessity of a system upgrade. 

Server Vulnerability Check

In order to check whether your server is subjected to the security vulnerability announced previously please refer to the article that describes the script created by Plesk Service Team to automate the verification procedure:

  • 113424 How to make sure if your Plesk Panel 8.x, 9.x, 10.0, 10.1, 10.2 or 10.3 is not vulnerable

Server Vulnerability Fix

If your server is vulnerable, make sure that one of the following Micro-Updates applied immediately:
 

Plesk Version Windows Linux
  Custom Fix Micro-Update Custom Fix Micro-Update
Plesk 8.1 KB112303 - KB113313 -
Plesk 8.2 KB112303 - KB113313 -
Plesk 8.3 KB112303 - KB113313 -
Plesk 8.4 KB112303 - KB113313 -
Plesk 8.6.0 KB112303 - - 8.6.0 MU#2
Plesk 9.0 KB112303 - KB113313 -
Plesk 9.2.x KB112303 - KB113313 -
Plesk 9.3 KB112303 - KB113313 -
Plesk 9.5 KB112303 9.5.5 MU#1 - 9.5.4 MU#11
Plesk 10.0.x KB112303 10.0.1 MU#13 KB113313 10.0.1 MU#13
Plesk 10.1 KB112303 10.1.1 MU#22 KB113313 10.1.1 MU#22
Plesk 10.2 KB112303 10.2.0 MU#16 KB113313 10.2.0 MU#16
Plesk 10.3.1 - 10.3.1 MU#5 - 10.3.1 MU#5

 

The complete guide for applying Microupdates you can find on the following link: 
  • 9294 Using Microupdates in Parallels Plesk Panel 8.6, 9.5.x, 10.x and Parallels Small Business Panel

Plesk for Virtuozzo Specific

If your Plesk installation runs inside Parallels Virtuozzo Containers virtual environment, Micro-Updates or updated PVC templates should be installed using the following guide:

  • 113441 How to install the latest Microupdates for Parallels Plesk Panel to a PVC Linux container
  • 113407 New PVC templates for Plesk 8.6.0, 9.5, 10.0, 10.1, 10.2 Windows and regular distribution kit for Plesk 8.6.0 and 9.5.5 Windows versions with included security fixes
  • 7110 Microupdates are not applied automatically if Parallels Panel for Linux is installed inside Containers by means of Virtuozzo template

Best Practices

In order to be on a safe side we recommend that you secure your server and your customers' subscriptions by resetting passwords for all Plesk accounts using the script from Plesk Service Team: 

  • 113391 Plesk Mass Password Reset Script
AFTER MASS PASSWORDS CHANGING YOU MUST REMOVE ALL RECORDS FROM 'sessions' TABLE OF psa DATABASE WITH NEW VERSION OF MASS PASSWORD RESET SCRIPT:
# php -d open_basedir= -d safe_mode=0 plesk_password_changer.php `cat /etc/psa/.psa.shadow` --clean-up-sessions

If you have a Plesk 8.x or Plesk 9.x server we recommend to migrate it to Plesk 11. Plesk Panel 11 does not have this security vulnerability. 
NOTE that a migration should be performed, not an upgrade, because the migration process can be easily rolled back. 
Moreover, during migration the source Parallels Plesk Panel server continues working along with sites registered in it, while an upgrade could cause downtime of services. 

Additional information

If a corresponding Micro-Update or Custom Fix was installed on your server it will fix the security issue on your server.

We hope that this information will help you to secure data on your server from the malicious attacks.




56797cefb1efc9130f7c48a7d1db0f0c aa571057eefb4e790d223bad9e05ace1 c81e59b61af9dca603ba03b14aabe968 9f8baf78266b4e54525d1c6bf06305a5 3e2cae805d7531c06d01f2df5398114f 42844a8183c58f5bd71c7d59929707e6 097728dc0a325f6309aa7a3997d4cacc 12c6f6bd6775cb701defb57d79fe96f6 0e238491b5e660eab3802f6197df3118 e26cd5a43fdb23cb2c65dd477ab20f95 6c940ecb931cefd4545ee0d1db669dd5 0826aa97edb5f1b3d71e93052fe8ac9e d3cd9f1770da96e5b5046d20def9f8eb bdfc2fcfd33015dce037e3597d1fb50c c0c38d2367acfa8909699e0b34b01dea 70141129eb4c89113d6051de8d1fc515 1d151d16e47c6f92bbf62d50eb32c4a2 df51901f8d80665e0224903c8f3ae202 c01693cb75418597d119fc7b83e56f18 c2d2acbb4a958dab3cea85099859eb11 db229c4740d60cf9f63ce5e5f42872fc 2c99040a3f60c4eb1cfc2aa149498a69

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Desktop Virtualization
- Parallels Desktop 9 for Mac
- Parallels Transporter
- Parallels Desktop Switch to Mac Edition
- Parallels Desktop for Mac Enterprise Edition
- Parallels Management-Mac for Microsoft SCCM
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0 Beta
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification