Parallels Plesk PHP-CGI Vulnerability
Please read this message in its entirely and take the recommended actions :
A security vulnerability in PHP was identified that impacts some of Parallels products. The goal of this email is to make you aware of the situation.
- Situation
The PHP Group and the United States Computer Emergency Readiness Team (US-CERT) has issued a vulnerability alert on 3 May that PHP-CGI-based setups contain vulnerability when parsing query string parameters from .php files. You can find more information at the PHP website.
· Impact
A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.
· Parallels Products Impacted
o Parallels Operation Automation Shared Hosting and Parallels Operation Automation Shared Hosting NG modules (all versions)
o Parallels Plesk Panel for Linux versions 9.0 – 9.2.3 might be vulnerable (Plesk team is working on an update)
o Parallels H-Sphere
- Solution
A temporary patch for PHP installations does exist, and Parallels is working on incorporating this patch in our products as soon as possible.
- CALL TO ACTION
For immediate solution customers should read the following knowledge base articles for instructions:
- http://kb.parallels.com/en/113814 – for POA
- http://kb.parallels.com/en/113818 – for Plesk
- http://kb.parallels.com/en/113821 – for H-Sphere
As this article is at a preliminary stage and will be updated in the nearest future, please subscribe to those articles updates via e-mail (for example by clicking here for 113814 and here for 113818). You might also want to subscribe to the RSS feed here.
Plesk Team
Leave a Reply
Want to join the discussion?Feel free to contribute!