Article ID: 115942, created on Apr 12, 2013, last review on Aug 8, 2016

  • Applies to:
  • Plesk 11.0 for Linux

Background

  Plesk privilege escalation vulnerabilities have been discovered and are described in VU#310500, CVE-2013-0132, and CVE-2013-0133 (CVSS score 4.4 - http://www.kb.cert.org/vuls/id/310500).

The following versions of Plesk for Linux are confirmed to be vulnerable: 9.5, 10.x, and 11.x. While there is no known exploit for the above vulnerabilities, Plesk team strongly recommends taking action and applying the security updates (or workaround) described in this article.  

Details

  Plesk versions 9.x to 11.x with Apache Web server running mod_php, mod_perl, mod_python, etc., are vulnerable to authenticated user privilege escalation. Authenticated users are users that have logins to Plesk (such as your customers, resellers, or your employees).  

Plesk instances with Apache Web server configured with Fast CGI (PHP, perl, python, etc.) or CGI (PHP, perl, python, etc.) are NOT vulnerable.  

For security reasons, Plesk team has recommended and continues to recommend Fast CGI (for PHP, python, perl, etc.) and CGI (perl, python, PHP, etc.) over mod_php, mod_perl, mod_python, etc.

Current Status

Plesk team is actively working on security updates for these issues. The ETAs for these updates are as follows:  

  • Plesk 11: fixed in MU#46 (shows up as a Security fix – red – in all Plesk 11 versions) - see KB115944 for more information
  • Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in Panel) - see KB115945 for more details
  • Plesk 10.3.1: fixed in MU#20 - see KB115959 for more details
  • Plesk 10.2.0: fixed in MU#19 - see KB115958 for more details
  • Plesk 10.1.1: fixed in MU#24 - see KB115957 for more details
  • Plesk 10.0.1: fixed in MU#18 - see KB115956 for more details
  • Plesk 9.5.4: fixed in MU#28 - see KB115946 for more details
  • Plesk 8.x: affected, EOLed - see Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 for more details about the Plesk upgrade/migration

Immediate Workaround

Disable mod_php, mod_python, and mod_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability.

Below is the example on how to switch mod_php to fast_cgi for all existing domains:

# mysql -uadmin --skip-column-names -p\`cat /etc/psa/.psa.shadow\` psa -e "select name from domains where htype = 'vrt\_hst';" | awk -F \\| '\{print $1\}' | while read a; do /usr/local/psa/bin/domain -u $a -php\_handler\_type fastcgi; done_

After the fix for the issue is published, Plesk team still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache.

For additional details, please refer to Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.

Search Words

VU#310500, CVE-2013-0132, CVE-2013-0133

56797cefb1efc9130f7c48a7d1db0f0c a914db3fdc7a53ddcfd1b2db8f5a1b9c 29d1e90fd304f01e6420fbe60f66f838 aea4cd7bfd353ad7a1341a257ad4724a 0a53c5a9ca65a74d37ef5c5eaeb55d7f

Email subscription for changes to this article
Save as PDF