Search for:

Available article translations:

Public issues VU#310500, CVE-2013-0132, CVE-2013-0133

Article ID: 115942, created on Apr 12, 2013, last review on Aug 12, 2014

  • Plesk 11.x for Linux
  • Plesk 10.x for Linux
  • Plesk 9.x for Linux/Unix
  • Plesk 8.x for Linux/Unix

Parallels Plesk Panel privilege escalation vulnerabilities have been discovered and are described in VU#310500, CVE-2013-0132, and CVE-2013-0133 (CVSS score 4.4 -

The following versions of Parallels Plesk Panel for Linux are confirmed to be vulnerable: 9.5, 10.x, and 11.x. While there is no known exploit for the above vulnerabilities, Parallels strongly recommends taking action and applying the security updates (or workaround) described in this article.

Parallels Plesk Panel versions 9.x to 11.x with Apache web server running mod_php, mod_perl, mod_python, etc., are vulnerable to authenticated user privilege escalation. Authenticated users are users that have logins to Parallels Plesk Panel (such as your customers, resellers, or your employees).
Parallels Plesk Panel instances with Apache web server configured with Fast CGI (PHP, perl, python, etc.) or CGI (PHP, perl, python, etc.) are NOT vulnerable.
For security reasons, Parallels has recommended and continues to recommend Fast CGI (for PHP, python, perl, etc.) and CGI (perl, python, PHP, etc.) over mod_php, mod_perl, mod_python, etc.

Current Status

Parallels is actively working on security updates for these issues. The ETAs for these updates are as follows:
•    Plesk 11: fixed in MU#46 (shows up as a Security fix – red – in all Plesk 11 versions) - see KB115944 for more information

•    Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in Panel) - see KB115945 for more details
•    Plesk 10.3.1: fixed in MU#20 - see KB115959 for more details
•    Plesk 10.2.0: fixed in MU#19 - see KB115958 for more details
•    Plesk 10.1.1: fixed in MU#24 - see KB115957 for more details
•    Plesk 10.0.1: fixed in MU#18 - see KB115956 for more details

•    Plesk 9.5.4: fixed in MU#28 - see KB115946 for more details

•    Plesk 8.x: affected, EOLed - see Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 for more details about the Panel upgrade/migration

Immediate Workaround

Disable mod_php, mod_python, and mod_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability.

Below is the example on how to switch mod_php to fast_cgi for all existing domains:

# mysql -uadmin --skip-column-names -p`cat /etc/psa/.psa.shadow` psa -e "select name from domains where htype = 'vrt_hst';" | awk -F \| '{print $1}' | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done

After the fix for the issue is published, Parallels still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache.

For additional details, please refer to Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.

dd0611b6086474193d9bf78e2b293040 56797cefb1efc9130f7c48a7d1db0f0c a914db3fdc7a53ddcfd1b2db8f5a1b9c 29d1e90fd304f01e6420fbe60f66f838 6ef0db7f1685482449634a455d77d3f4 0a53c5a9ca65a74d37ef5c5eaeb55d7f b8ef5052d936e902043e41759118114e

Was this article helpful?
Tell us how we may improve it.
Yes No
Server Virtualization
- Odin Cloud Server
- Odin Containers for Windows 6.0
- Odin Virtuozzo Containers
- Odin Automation
- Odin Automation for Cloud Infrastructure
- Odin Business Automation Standard
- Odin Virtual Automation
- Odin Plesk Panel Suite
- Web Presence Builder
- Odin Plesk Automation
- Odin Small Business Panel
- Value-added Services for Hosters
- Odin Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification