Please read this message in its entirely and take the recommended actions :
A security vulnerability in PHP was identified that impacts some of Parallels products. The goal of this email is to make you aware of the situation.
The PHP Group and the United States Computer Emergency Readiness Team (US-CERT) has issued a vulnerability alert on 3 May that PHP-CGI-based setups contain vulnerability when parsing query string parameters from .php files. You can find more information at the PHP website.
A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.
· Parallels Products Impacted
o Parallels Operation Automation Shared Hosting and Parallels Operation Automation Shared Hosting NG modules (all versions)
o Parallels Plesk Panel for Linux versions 9.0 – 9.2.3 might be vulnerable (Plesk team is working on an update)
o Parallels H-Sphere
A temporary patch for PHP installations does exist, and Parallels is working on incorporating this patch in our products as soon as possible.
- CALL TO ACTION
For immediate solution customers should read the following knowledge base articles for instructions:
- http://kb.parallels.com/en/113814 – for POA
- http://kb.parallels.com/en/113818 – for Plesk
- http://kb.parallels.com/en/113821 – for H-Sphere
As this article is at a preliminary stage and will be updated in the nearest future, please subscribe to those articles updates via e-mail (for example by clicking here for 113814 and here for 113818). You might also want to subscribe to the RSS feed here.