Plesk exploit gives Apache privilege escalation edge

By

Kingcope dropped exploit code.

A hacker has disclosed exploit for a code-execution flaw impacting older versions of popular server administrator software used to create websites, email and other accounts.

Plesk exploit gives Apache privilege escalation edge

The exploit code for Parallels Plesk Panel software was posted last week on seclists.org by an individual known as Kingcope.

The exploit must be used in tandem with Apache Web server software, and can ultimately allow an attacker to inject malicious PHP code, programming language used to create dynamic web pages.

A saboteur would have the ability to execute arbitrary commands by escalating user privileges in the Apache server.

To carry out the feat, an attacker would have to run Plesk in CGI mode in PHP.

Kingcope said the vulnerability (CVE-2012-1823) can be exploited in Plesk 9.5.4 and earlier versions of the control panel, but Parallels, the Seattle-based maker of the software, has stated otherwise.

Parallels shared hosting vice president Craig Bartholomew told SC version 9.5.4 of the software was not vulnerable due to a CGI wrapper implemented in the software.

Instead, the flaw impacts Plesk versions 9.3, 9.2 and 9.0.

The most recent Plesk releases are versions 10 and 11. 

Cisco Systems researcher Craig Williams said even though the vulnerability affects older versions of Plesk Panel (running on Linux and FreeBSD operating systems), the impact of the exploit could prove serious given how outdated the software is.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Phishing attack nets enormous npm supply chain compromise

Phishing attack nets enormous npm supply chain compromise

Service NSW centralises security, networking in mammoth CloudOps overhaul

Service NSW centralises security, networking in mammoth CloudOps overhaul

VicRoads to phase out passwords in favour of passkeys

VicRoads to phase out passwords in favour of passkeys

Apple adds "mercenary spyware" protection to new A19 chip

Apple adds "mercenary spyware" protection to new A19 chip

Log In

  |  Forgot your password?