Parallels H-Sphere privilege escalation vulnerability has been discovered similar to the one described at https://kb.odin.com/115942.
The following versions of Parallels H-Sphere are confirmed to be vulnerable: 3.4.1, 3.5.1, 3.6.1. While there is no known exploit for the above vulnerabilities, Parallels strongly recommends taking action and applying the security updates (or workaround) described in this article.
Parallels H-Sphere versions 3.4.1, 3.5.1, 3.6.1 with Apache web server running mod_php are vulnerable to authenticated user privilege escalation. Authenticated users are users that have logins to Parallels H-Sphere (such as your customers, resellers, or your employees).
For security reasons, Parallels has recommended and continues to recommend Fast CGI (for PHP, Python, Perl, etc.) and CGI (Perl, Python, PHP, etc.) over mod_php.
Fix included in Parallels H-Sphere 3.4.1 SPU 68, 3.5.1 SPU 69, 3.6.1 SPU 70.
· Lock down PHP version used with mod_php by using open_basedir and disable_functions (for functions like exec, system and such) directives described at http://www.php.net/manual/ini.core.php;
· Either move mail/database frontends to the separate dedicated box or apply kb #116220 to switch mail/database frontends to (F)CGI mode, then disable mod_php completely on the corresponding physical box. You should ensure that no domain on that box uses mod_php mode before disabling it.