Article ID: 116221, created on Jun 3, 2013, last review on Aug 12, 2014

  • Applies to:
  • H-Sphere 3.4
  • H-Sphere 3.5

Parallels H-Sphere privilege escalation vulnerability has been discovered similar to the one described at https://kb.odin.com/115942.

The following versions of Parallels H-Sphere are confirmed to be vulnerable: 3.4.1, 3.5.1, 3.6.1. While there is no known exploit for the above vulnerabilities, Parallels strongly recommends taking action and applying the security updates (or workaround) described in this article.

Details

Parallels H-Sphere versions 3.4.1, 3.5.1, 3.6.1 with Apache web server running mod_php are vulnerable to authenticated user privilege escalation. Authenticated users are users that have logins to Parallels H-Sphere (such as your customers, resellers, or your employees).

For security reasons, Parallels has recommended and continues to recommend Fast CGI (for PHP, Python, Perl, etc.) and CGI (Perl, Python, PHP, etc.) over mod_php.

Fix included in Parallels H-Sphere 3.4.1 SPU 68, 3.5.1 SPU 69, 3.6.1 SPU 70.

Possible workarounds:

·         Lock down PHP version used with mod_php by using open_basedir and disable_functions (for functions like exec, system and such) directives described at http://www.php.net/manual/ini.core.php;

·         Either move mail/database frontends to the separate dedicated box or apply kb #116220 to switch mail/database frontends to (F)CGI mode, then disable mod_php completely on the corresponding physical box. You should ensure that no domain on that box uses mod_php mode before disabling it.

 

 

2e39a5e5b1423cc126cf735bac076008 6311ae17c1ee52b36e68aaf4ad066387 f213b9fa8759d57bee5d547445806fe7 f90e90e234d2835301363089f6b828e5 f51a27b0a406fdfb3fcda8033c7f914d

Email subscription for changes to this article
Save as PDF