• Article for your preferred language does not exist. Below is international version of the article.

Article ID: 113814, created on May 3, 2012, last review on Aug 12, 2014

  • Applies to:
  • Operations Automation 5.3
  • Operations Automation 5.2


POA 5.3 Update 11, which fixes this vulnerability, has been released.
POA 5.2 Update 15, which fixes this vulnerability, has been released.


On May 3rd, 2012, the PHP-CGI remote code execution vulnerability was disclosed to the general public. This is a Critical Vulnerability affecting all software that contains PHP-CGI.

This vulnerability affects PHP 5 scripts only on websites based on the following Parallels Operations Automation (POA) modules:
  • Linux Shared Hosting
  • NG Shared Hosting
Be aware that the following components are not affected:
  • PBA, the PBA store, and the POA control panel itself are not affected, as they run PHP using mod_php by default.
  • PHP 4 scripts are not vulnerable.
  • PHP-FastCGI is not vulnerable to this exploit.
  • PHP 5 on Windows Shared Hosting is not used in PHP-CGI mode.


PHP-CGI installations are vulnerable to remote code execution. The vulnerability can only be exploited if the HTTP server follows a fairly obscure part of the CGI spec. In particular, this concerns the Apache webserver, and some others.


A critical flaw was discovered in PHP (CVE-2012-1823) which allows someone to get the PHP script source code and potentially trigger a remote code execution in some cases (there is no publicly available PoC):


The official patch given on this page still does not resolve the issue entirely.

How to verify if website is vulnerable

In a browser, add "?-s" to the website URL with some existing PHP script, such as in the following example:


If the site is vulnerable, a source code for page.php will be listed in the browser. Otherwise, the proper script execution output will be listed.


POA 5.2

Customers with POA 5.2 installed have to install POA 5.2 Update 15. The update will fix the vulnerability and overwrite previously installed workarounds.

POA 5.3

Customers with POA 5.3 installed have to install POA 5.3 Update 11. The update will fix the vulnerability and overwrite previously installed workarounds.

Linux Shared Hosting NG

The servers that provide NG Shared Hosting have to be updated from the CloudLinux Network. The new versions of PHP RPMs contain a fix for the specific vulnerability and will overwrite previously installed workarounds.

Additional information

Parallels Plesk Panel websites and the product itself are not affected by the PHP-CGI remote code execution vulnerability, except for Parallels Plesk Panel versions 9.0.1 – 9.2.3, in cases where PHP was manually updated to version 5.2 or 5.3. For more information, refer to the following article:

113818 PHP-CGI remote code execution vulnerability (CVE-2012-1823) in Parallels Plesk Panel


caea8340e2d186a540518d08602aa065 2554725ed606193dd9bbce21365bed4e 5356b422f65bdad1c3e9edca5d74a1ae c2898cda1192c88ccc616ade5f670bd6 a8cdca46e4357a6e38fded820770e272 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF