Parallels Plesk PHP-CGI Vulnerability

Please read this message in its entirely and take the recommended actions :

A security vulnerability in PHP was identified that impacts some of Parallels products. The goal of this email is to make you aware of the situation.

 

• Situation

The PHP Group and the United States Computer Emergency Readiness Team (US-CERT) has issued a vulnerability alert on 3 May that PHP-CGI-based setups contain vulnerability when parsing query string parameters from .php files. You can find more information at the PHP website.

·         Impact

A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.

·         Parallels Products Impacted

o   Parallels Operation Automation Shared Hosting and Parallels Operation Automation Shared Hosting NG modules (all versions)

o   Parallels Plesk Panel for Linux versions 9.0 – 9.2.3 might be vulnerable (Plesk team is working on an update)

o   Parallels H-Sphere

 

• Solution

A temporary patch for PHP installations does exist, and Parallels is working on incorporating this patch in our products as soon as possible.

 

• CALL TO ACTION

For immediate solution customers should read the following knowledge base articles for instructions:

 

• http://kb.parallels.com/en/113814 – for POA
• http://kb.parallels.com/en/113818 – for Plesk
• http://kb.parallels.com/en/113821 – for H-Sphere

 

As this article is at a preliminary stage and will be updated in the nearest future, please subscribe to those articles updates via e-mail (for example by clicking here for 113814 and here for 113818). You might also want to subscribe to the RSS feed here.

 

Plesk Team