Public issues VU#310500, CVE-2013-0132, CVE-2013-0133

Refers to:

  • Plesk 11.0 for Linux
  • Plesk 10.x and below for Linux

Created:

2016-11-16 12:57:53 UTC

Modified:

2016-12-21 19:38:48 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Public issues VU#310500, CVE-2013-0132, CVE-2013-0133

Background

Plesk privilege escalation vulnerabilities have been discovered and are described in VU#310500, CVE-2013-0132, and CVE-2013-0133 (CVSS score 4.4 - http://www.kb.cert.org/vuls/id/310500 ).

The following versions of Plesk for Linux are confirmed to be vulnerable: 9.5, 10.x, and 11.x. While there is no known exploit for the above vulnerabilities, Plesk team strongly recommends taking action and applying the security updates (or workaround) described in this article.

Details

Plesk versions 9.x to 11.x with Apache Web server running mod\_php, mod\_perl, mod\_python, etc., are vulnerable to authenticated user privilege escalation. Authenticated users are users that have logins to Plesk (such as your customers, resellers, or your employees).

Plesk instances with Apache Web server configured with Fast CGI (PHP, perl, python, etc.) or CGI (PHP, perl, python, etc.) are NOT vulnerable.

For security reasons, Plesk team has recommended and continues to recommend Fast CGI (for PHP, python, perl, etc.) and CGI (perl, python, PHP, etc.) over mod\_php, mod\_perl, mod\_python, etc.

Current Status

Plesk team is actively working on security updates for these issues. The ETAs for these updates are as follows:

Immediate Workaround

Disable mod\_php , mod\_python , and mod\_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability.

Below is the example on how to switch mod\_php to fast\_cgi for all existing domains:

# mysql -uadmin --skip-column-names -p\\`cat /etc/psa/.psa.shadow\\` psa -e "select name from domains where htype = 'vrt\\_hst';" | awk -F \\\\| '\\{print $1\\}' | while read a; do /usr/local/psa/bin/domain -u $a -php\\_handler\\_type fastcgi; done_

After the fix for the issue is published, Plesk team still recommends that you avoid using these Apache modules ( mod\_php , mod\_python , and mod\_perl ) and instead use Fast CGI or CGI modes for improved security on Apache.

For additional details, please refer to Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security .

Have more questions? Submit a request
Please sign in to leave a comment.