[FIX] Remote vulnerability in Plesk Panel

Parallels Plesk Panel• Plesk 8.x for Windows• Parallels Plesk Panel for Windows• Plesk 10.x for Linux• Parallels Plesk Panel for Linux/Unix• Plesk 9.x for Linux/Unix• Plesk 10.0.x for Windows• Plesk 10.x for Windows• Plesk 10.1 for Windows• Plesk 10.3 for Windows• Plesk 8.x for Linux/Unix• Plesk 10.3 for Linux/Unix• Plesk 10.2 for Linux/Unix• Plesk 10.2 for Windows• Plesk 10.0.x for Linux/Unix• Plesk 9.x for Windows• Plesk 10.1 for Linux/Unix•

Description

NOTE: The issue has been completely fixed in the Plesk 8.6 MU#2, 9.5 MU#11, 10.3 MU#5, and later versions.Please refer to the http://kb.parallels.com/en/9294 to check the Micro-update version installed.

NOTE: If you suspect your sever was compromised before you applied the fixes, it's strongly recommended tochange passwords of all accounts in Plesk including Plesk 'admin' after applying the fixes.Please refer to the http://kb.parallels.com/en/113391 to reset passwords.

An anonymous attacker can remotely compromise Plesk server.

Severity of vulnerability: CriticalAccess Vector: Network exploitable; victim must voluntarily interact with attack mechanismAccess Complexity: easyAuthentication: Not required to exploitImpact Type: Allows unauthorized access and modificationVulnerable versions: Parallels Plesk Panel versions 7.6.1 - 10.3.1

Recommended resolution path for providers and large data centers

Update or migrate Plesk to versions for which Micro-Updates with fixes are available• Manual file replacement• Use workaround (see below)•

Resolution

For the versions listed below, apply the fixes from this KB article: http://kb.parallels.com/en/113313.

Plesk 8.1 for Linux/Unix• Plesk 8.2 for Linux/Unix• Plesk 8.3 for Linux/Unix• Plesk 8.4 for Linux/Unix•

Plesk 9.0 for Linux/Unix• Plesk 9.2.x for Linux/Unix• Plesk 9.3 for Linux/Unix• Plesk 10.0.x for Linux/Unix• Plesk 10.1 for Linux/Unix• Plesk 10.2 for Linux/Unix•

For the versions listed below, apply the fixes from this KB article: http://kb.parallels.com/en/112303.

Plesk 8.1 for Windows• Plesk 8.2 for Windows• Plesk 8.3 for Windows• Plesk 8.4 for Windows• Plesk 8.6 for Windows• Plesk 9.0 for Windows• Plesk 9.2 for Windows• Plesk 9.3 for Windows• Plesk 9.5 for Windows•

For the following versions ...

Plesk 8.6 for Linux• Plesk 9.5.4 for Linux• Plesk 10.0.1 for Linux and Windows• Plesk 10.1.1 for Linux and Windows• Plesk 10.2.0 for Linux and Windows• Plesk 10.3.1 for Linux and Windows•

... fixes are provided by the Micro-Updates listed below:

8.6.0 for Linux only MU#2 - http://kb.parallels.com/en/112181• 9.5.4 for Linux only MU#11 - http://kb.parallels.com/en/112179• 10.0.1 for Linux and Windows MU#13 - http://kb.parallels.com/en/113322• 10.1.1 for Linux and Windows MU#22 - http://kb.parallels.com/en/113323• 10.2.0 for Linux and Windows MU#16 - http://kb.parallels.com/en/113324• 10.3.1 for Linux and Windows MU#5 - KB is absent•

For the remaining versions, it is recommended that you update to at least the next-higher version of the versionslisted above.

Plesk 7.x Linux/Windows• Plesk 8.0 Linux•

©Parallels, 2012, autogenerated from http://kb.parallels.com/en/113321