A 0-day vulnerability has been publicly posted which
affects older versions of Parallels Plesk software. The author of the
exploit included an informational text file which appears indicate
public servers have already been exploited. This vulnerability does not
affect the latest major version of the software, nevertheless we expect
to see widespread exploitation, due to the age of the affected versions —
sites still running these versions of Plesk, which should enter End of
Life of June 9, are unlikely to be regularly maintained. The vulnerable
versions of the Plesk control panel by injecting malicious PHP code,
allowing successful attackers to execute arbitrary commands with the
privileges of the Apache server userid.
+http://arstechnica.com/security/2013/06/more-than-360000-apache-websites-imperiled-by-crticial-vulnerability/
Affected and tested: 9.5.4, 9.3, 9.2, 9.0, 8.0
Affected and tested OS: RedHat, CentOS, Fedora
Affected and tested Platforms: Linux i386, Linux x86_64
Unaffected: 11.0.9 due to compiled in protection of PHP version
POC:root@server1 [~]# perl /tmp/plesk-simple-ssl.pl 76.12.81.206 HTTP/1.1 200 OK Date: Thu, 06 Jun 2013 02:43:19 GMT Server: Apache/2.2.3 (CentOS) Connection: close Transfer-Encoding: chunked Content-Type: text/html 3 OK 14 2.6.18-308.24.1.el5 3e uid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv) 0The exploit is turning off possible hardening that is in place on the server. The “allow_url_include=on” argument allows the attacker to include arbitrary PHP script. The impact of that is described here. Next safe_mode is turned off. As a final step Suhosin, a PHP hardening patch, is put into simulation mode. This mode is designed for application testing, and effectively turns off the extra protection (as well as protections against processing PHP script via the php:// URI handler).
+http://arstechnica.com/security/2013/06/more-than-360000-apache-websites-imperiled-by-crticial-vulnerability/
No comments:
Post a Comment