Plesk users should be aware of a remote exploit for Plesk announced today on the Full Disclosure mailing list.  The exploit allows the attacker to execute PHP directly.  It will run as the “apache” user and execute whatever PHP code the attacker passes in the HTTP request.  Here are some potential effects at a glance:

  • Attackers can use PHP directly to leverage the power and bandwidth of the exploited server in attacks against other hosts or sending out spam.
  • Attackers can read site configuration files and harvest database info, then connect to the database and harvest or manipulate any data therein.
  • If the server isn’t kept up to date, attackers could perform a local privilege escalation exploit such as the recent perf_swevent_init exploit and gain root access.
  • On most servers, the site files are owned by the user account corresponding to each site, so they would be safe from modification/infection through this exploit.  But in many cases, new files could be created to maintain user-level access to each site even after the server is patched.

Plesk generally doesn’t take long to issue updates; I’m not sure if they’ve addressed this issue yet or not.  But this could be trouble for websites hosted on Plesk servers if the administrators aren’t quick with the patch.