Hacker Publishes Alleged Zero-Day Exploit For Plesk

hypnosec writes "KingCope, known for many concrete zero-day exploits, has published yet another zero-day through full disclosure – this time for Plesk, a hosting software package made by Parallels and used on thousands of servers across the web. According to KingCope, Plesk versions 9.5.4, 9.3, 9.2, 9.0 and 9.6 on three different Linux variants Red Hat, CentOS and Fedora are vulnerable to the hack. The exploit, as noted by the hacker, makes use of specially crafted HTTP queries that inject PHP commands. The exploit uses POST request to launch a PHP interpreter and the attacker can set any configuration parameters through the POST request. Once invoked, the interpreter can be used to execute arbitrary commands."

Re:Sensationalist Tripe

[Zapotek]

The dude replied to a valid and well-thought-out question with (irrelevant) lyrics from a Greek song. I wouldn't trust him to fill a glass of water, he obviously just wants some attention.

Paralells charges to submit security issues

[Anonymous Coward]

Paralells has no one to blame but themselves for this being posted publicly.

Having found exploit code published on Pastebin for Plesk through an automated Google alert, I recently attempted to contact Paralells.

I was unable to do so because I'm not a paying customer willing to pay to submit the security issue.

You can read more about this problem over at my blog. http://caffeinesecurity.blogspot.com/2012/12/how-not-to-handle-software.html [blogspot.com]