Hacker Publishes Alleged Zero-Day Exploit For Plesk 42
hypnosec writes "KingCope, known for many concrete zero-day exploits, has published yet another zero-day through full disclosure – this time for Plesk, a hosting software package made by Parallels and used on thousands of servers across the web. According to KingCope, Plesk versions 9.5.4, 9.3, 9.2, 9.0 and 9.6 on three different Linux variants Red Hat, CentOS and Fedora are vulnerable to the hack. The exploit, as noted by the hacker, makes use of specially crafted HTTP queries that inject PHP commands. The exploit uses POST request to launch a PHP interpreter and the attacker can set any configuration parameters through the POST request. Once invoked, the interpreter can be used to execute arbitrary commands."
Re:little late (Score:5, Insightful)
plesk is currently in ver 11... this would have been big like 2 years ago.
yet, surprisingly, many companies will still be running those Plesk versions due to laziness, stupidity, ignorance, lack of staff for upgrade, etc. See it every day - or a variation of the same - old software kills.
Sensationalist Tripe (Score:5, Insightful)
The kiddie is basically claiming Plesk 9.5.4 and prior are vulnerable to CVE-2012-1823. The problem with this is that in order to take advantage of this "new exploit" the distro has to have not had updates applied (this PHP vulnerability was patched some time ago on all the host distros), Plesk has to be configured to run the site as CGI instead of through mod_php, which isn't the default and isn't even possible on many of the claimed versions, and the path claimed isn't even configured on standard Plesk installs. When presented with these facts, his reponse was basically "you lie", so yeah, why is this suddenly news?
Try again - Re:Sensationalist Tripe (Score:4, Insightful)
I just patched this on a half dozen servers yesterday - it's not the CVE vulnerability, it's a Plesk-Apache-PHP configuration exploit.
Plesk installed a PHP-via-CGI configuration that turned an entire directory path into an auto-CGI, and exposed the system path to the php executable. A couple of escape characters later and you had remote shell commands executing via POST.
Re:PHP is a zero-day exploit (Score:2, Insightful)
PHP doesn't need high privileges to zombie a box via bots/scripts downloaded to /tmp or /var/tmp in one POST request, and spawned via a second.