Article ID: 115942, created on Apr 12, 2013, last review on Jun 17, 2016

  • Applies to:
  • Plesk 12.0 for Linux

Background   Plesk privilege escalation vulnerabilities have been discovered and are described in VU#310500, CVE-2013-0132, and CVE-2013-0133 (CVSS score 4.4 -

The following versions of Plesk for Linux are confirmed to be vulnerable: 9.5, 10.x, and 11.x. While there is no known exploit for the above vulnerabilities, Odin strongly recommends taking action and applying the security updates (or workaround) described in this article.  

Details   Plesk versions 9.x to 11.x with Apache web server running mod_php, mod_perl, mod_python, etc., are vulnerable to authenticated user privilege escalation. Authenticated users are users that have logins to Plesk (such as your customers, resellers, or your employees).   Plesk instances with Apache web server configured with Fast CGI (PHP, perl, python, etc.) or CGI (PHP, perl, python, etc.) are NOT vulnerable.   For security reasons, Odin has recommended and continues to recommend Fast CGI (for PHP, python, perl, etc.) and CGI (perl, python, PHP, etc.) over mod_php, mod_perl, mod_python, etc.

Current Status

Odin is actively working on security updates for these issues. The ETAs for these updates are as follows:   •    Plesk 11: fixed in MU#46 (shows up as a Security fix – red – in all Plesk 11 versions) - see KB115944 for more information

•    Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in Panel) - see KB115945 for more details •    Plesk 10.3.1: fixed in MU#20 - see KB115959 for more details •    Plesk 10.2.0: fixed in MU#19 - see KB115958 for more details •    Plesk 10.1.1: fixed in MU#24 - see KB115957 for more details •    Plesk 10.0.1: fixed in MU#18 - see KB115956 for more details

•    Plesk 9.5.4: fixed in MU#28 - see KB115946 for more details

•    Plesk 8.x: affected, EOLed - see Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 for more details about the Panel upgrade/migration

Immediate Workaround

Disable mod_php, mod_python, and _mod_perl _and use Fast CGI and/or CGI, which are not affected by this security vulnerability.

Below is the example on how to switch mod_php to fast_cgi for all existing domains:

# mysql -uadmin --skip-column-names -p`cat /etc/psa/.psa.shadow` psa -e "select name from domains where htype = 'vrt_hst';" | awk -F \| '{print $1}' | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done After the fix for the issue is published, Parallels still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache.

For additional details, please refer to Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.

Search Words

VU#310500, CVE-2013-0132, CVE-2013-0133

56797cefb1efc9130f7c48a7d1db0f0c a914db3fdc7a53ddcfd1b2db8f5a1b9c 29d1e90fd304f01e6420fbe60f66f838 2a5151f57629129e26ff206d171fbb5f e335d9adf7edffca6a8af8039031a4c7

Email subscription for changes to this article
Save as PDF