Article ID: 116241, created on Jun 6, 2013, last review on Nov 28, 2014

  • Applies to:
  • Small Business Panel 10.x for Linux/Unix
  • Plesk 9.2 for Linux/Unix
  • Plesk 9.0 for Linux/Unix
  • Ubuntu and Debian Linux Servers that were upgraded directly from 9.0 or 9.2 to 10.x or 11.x (and that skipped a sequential upgrade to 9.5x)   
NOTE: The upgrade risk does not apply to servers that sequentially upgraded to 9.5x (or later, from 9.5x to 10.x or 11.x) or servers running versions of Linux that are not Ubuntu or Debian.


The exploit [1] for this vulnerability uses a combination of these two issues:

- PHP vulnerability CVE-2012-1823 related to CGI mode used in older Plesk versions (
- Plesk phppath script alias usage in Plesk versions 9.0 to 9.2


A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition, or execute arbitrary code with the privileges of the web server.

Parallels Products Impacted

Only Parallels Plesk Panel versions 9.0 through 9.2.3 and Parallels Small Business Panel 10.x versions on the Linux platform are impacted. These represent less than 4 percent of all Plesk Panel licenses, and these versions are end-of-life and unsupported (they were superseded by 9.5.4, a direct upgrade that has been available for more than three years).

Also impacted are Ubuntu and Debian versions 10.x and 11.x that were previously upgraded from 9.0 to 9.2.3, but were not sequentially upgraded to Plesk Panel 9.5x. Note that Plesk Panel 9.5x servers are never impacted. No servers that were sequentially upgraded through 9.5x are impacted.

Server Vulnerability Check

To check whether your server is subject to the security vulnerability, you can use the attached script,
# wget
# bash

Look at the script output for the conclusion.

If your Parallels Plesk Panel version is not 9.0 or 9.2 and the checker reports that your server is vulnerable, please contact Parallels Technical Support.


Customers on Plesk Panel 9.0 through 9.2.3 should do the following:

•    Upgrade to the latest version of Plesk. Plesk 11 has been available for one year now. Plesk 11.5 has many improvements and will be available on June 13. At the very least, update to Plesk Panel 9.5.4 (will be end-of-life soon), which has a special PHP wrapper protecting it from the PHP issue, along with a solution that avoids the phppath attack vector.

•    Update PHP to protect against the CVE-2012-1823 vulnerability (see

•    Parallels has prepared a script for automatic updating of the server, if a Plesk Panel update is not possible. 

Note: Before applying following solution, make sure to install latest micro-updates on the server using instructions from article #9294.

Download the archived script, wrapper.zipfrom the attachment on the server with Parallels Plesk Panel for Linux 9.0 to 9.2.3 or Parallels Small Business Panel for Linux 10.x.

Extract the archive and execute the script:
# wget
# unzip
# cd wrapper
# bash

No currently supported versions of Parallels Plesk Panel 9.5.4, 10.x, or 11.x, or Parallels Plesk Automation, are vulnerable. Also, Plesk 8.x (now end-of-life) is not vulnerable.

If a customer is using legacy and no longer has a supported version of Parallels Plesk Panel, they should upgrade to the latest version.

Parallels reminds Plesk users that timely updates of your operating system, as well as updates of Plesk itself, are very important and are required for your system's security.

Note: The following MUs deliver the fix for Ubuntu and Debian Linux Servers that were upgraded directly from 9.0 or 9.2 to 10.x or 11.x



a914db3fdc7a53ddcfd1b2db8f5a1b9c 56797cefb1efc9130f7c48a7d1db0f0c 4f57df935e9acf8d18830757d2346419 29d1e90fd304f01e6420fbe60f66f838 6ef0db7f1685482449634a455d77d3f4 11a46d8a188d618564f4f0cead9a50f3 6a181d5c1f3b1bcb28db0b05464417ec

Email subscription for changes to this article
Save as PDF