A hacker released what he claims is a zero-day exploit for older versions of the Parallels Plesk Panel, a popular Web hosting administration software package, that could allow attackers to inject arbitrary PHP code and execute rogue commands on Web servers.
The hacker uses the alias “Kingcope” and has published exploits for unpatched vulnerabilities before. He released the new Plesk exploit code Wednesday on the Full Disclosure mailing list.
The hacker claims the exploit was successfully tested against Plesk 9.5.4, Plesk 9.3, Plesk 9.2, Plesk 9.0 and Plesk 8.6 used in combination with the Apache Web server software on 32-bit and 64-bit Linux distributions including Red Hat, CentOS and Fedora. However, Parallels, the Seattle-based company that develops Plesk Panel, claims that Plesk 9.5 and later versions are not affected by the exploit.
“This vulnerability is a variation of the long known CVE-2012-1823 vulnerability related to the CGI mode of PHP only in older Plesk [versions],” a Parallels representative said Thursday via email. “All currently supported versions of Parallels Plesk Panel 9.5, 10.x and 11.x, as well Parallels Plesk Automation, are not vulnerable.”