Search

Language:  
Search for:

Available article translations:

Parallels Plesk Panel: PHP-CGI remote code execution vulnerability (CVE-2012-1823)

APPLIES TO:
  • Parallels Plesk Panel 9.2 for Linux/Unix
  • Parallels Plesk Panel 9.0 for Linux/Unix

Information

On May 3rd, 2012, PHP-CGI remote code execution vulnerability was disclosed to the general public (CVE-2012-1823).
This is a Critical Vulnerability affecting software that contains PHP-CGI.
PHP-FastCGI is not vulnerable to this exploit.

Parallels Plesk Panel (PP) for Windows versions 10.4 and earlier versions are NOT affected.

PP for Linux versions 9.3 - 10.4 are NOT affected by the PHP-CGI remote code execution vulnerability due to their use of the special cgi_wrapper script.
PP for Linux versions 8.6 and earlier versions are NOT affected due to their use of mod_php only.

PP for Linux versions 9.0 - 9.2.3 might be vulnerable.

Resolution

To fix this issue on PP for Linux 9.0 - 9.2.3, apply one of the following workarounds:

1. It is strongly recommended that you update PP to the latest version that is not vulnerable.

Parallels's End of Life policy is available here: http://www.parallels.com/products/plesk/lifecycle

2. CGI wrapper is the recommended way to work around the issue if a PP update is not possible.

Parallels has prepared a script for automatic updating the server with the wrapper.
Download the archived script cve-2012-1823-wa_pp.tgz from the attachment on the server with Parallels Plesk Panel for Linux 9.0 - 9.2.3.
Extract it from the archive and execute it:

# wget http://kb.parallels.com/Attachments/20000/Attachments/cve-2012-1823-wa_pp.tgz
# tar xfz cve-2012-1823-wa_pp.tgz
# cd cve-2012-1823-wa_pp
# bash setup.sh

3.  It is also possible to work around the problem with .htaccess rules for each website.

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]

This workaround requires such configuration to be applied per webspace, which makes it complicated when thousands of webspaces are hosted.

Additional information

Note that this vulnerability affects websites created with the help of Parallels Operations Automation. For more details, read the following article:

113814 PHP-CGI remote code execution vulnerability (CVE-2012-1823) in Parallels Automation



Attachments:


56797cefb1efc9130f7c48a7d1db0f0c eebd3e4553e0e16d6c38a58d2d023118 49af2da0f2dd4c81e962790bbbd0c2b4 5d735c0e028ee5b991e4fb80d34fb87f 6eab23e8dac1eb5df9820a41f94cf4b4 970a12d7813e6f20383aaae2db2a50d6

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Desktop Virtualization
- Parallels Desktop 8 for Mac
- Parallels Transporter
- Parallels Desktop Switch to Mac Edition
- Parallels Desktop for Mac Enterprise Edition
- Parallels Management-Mac for Microsoft SCCM
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0 Beta
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification