Plesk vulnerability issue

For a first time I saw Plesk before about 6-7 years when ordered one of my first servers with control panel. To be honest till version 8.6 I was not so exited, but with that version and above it became pretty stable, and I started liking it more and more.
Unfortunately couple of days ago over Internet was spread there was found critical vulnerability in Plesk versions 7.6.1(my first one) to 10.3.1 one of the latest. Well, it is nice to realise your servers had been exposed for such long time, and such security hole was kept secret until penetration of two servers hosting websites for the Federal Trade Commission (Plesk control panel bug…) instead of thousands maybe not so important servers.

Well, in short the issue is critical, it is network exploitable, and it is rather easy the server to be compromised – in other words every second wannabe hacker can penetrate your server. There is no need of authentication to be exploited, and it allows unauthorized access and modification on a server level. Vulnerable Plesk Panel versions are: 7.6.1 – 10.3.1

Pretty bad ha?

Because this Plesk vulnerability the hacker to make changes to the user accounts, files, and sites – even after patches are applied he may still have access to sites.
If you have even a small doubt your sever was compromised before you applied the patches, it is strongly recommended to change passwords of all accounts in Plesk!

So, if you have server with Plesk it is required to check if it is up-to-date, and you will need the following information:

1. Find Plesk version:

You can login via ssh using Putty, and using the following command to print the current Plesk version:

For Plesk version on Windows the command will be:

executed in the command line.

2. Find which Plesk microupate is currently installed :

Note: On some old Plesk versions, you will not find ‘microupdates.xml’ file

Once you have this information you will have to apply the according patch. Here is the official list of Parallels articles explaining how to apply patch in Plesk:

Plesk Version Windows Linux
Custom Fix Micro-Update Custom Fix Micro-Update
Plesk 8.1 KB112303 KB113313
Plesk 8.2 KB112303 KB113313
Plesk 8.3 KB112303 KB113313
Plesk 8.4 KB112303 KB113313
Plesk 8.6.0 KB112303 8.6.0 MU#2
Plesk 9.0 KB112303 KB113313
Plesk 9.2.x KB112303 KB113313
Plesk 9.3 KB112303 KB113313
Plesk 9.5 KB112303 9.5.4 MU#11
Plesk 10.0.x KB112303 10.0.1 MU#13 KB113313 10.0.1 MU#13
Plesk 10.1 KB112303 10.1.1 MU#22 KB113313 10.1.1 MU#22
Plesk 10.2 KB112303 10.2.0 MU#16 KB113313 10.2.0 MU#16
Plesk 10.3.1 10.3.1 MU#5 10.3.1 MU#5

Tags

Filed Under: Articles

Anthony Gee About the Author: Anthony G. is an IT specialist with more than 9 years of solid working experience in the Web Hosting industry. Currently works as server support administrator, involved in consultative discussions about Web Hosting and server administration. One of the first writers in the Onlinehowto.net website, now writing for Free Tutorials community - he is publishing tutorials and articles for the wide public, as well as specific technical solutions.

Leave a Reply