October 28, 2016

Plesk Vulnerability Being Actively Exploited – Software Update Available

(LiveHacking.Com) – A critical security vulnerability in the Plesk web hosting administration software is being actively used in the wild to comprise servers. According to the Plesk security advisory a remote attacker can easily compromise a Plesk server allowing unauthorized access and modification. Affected versions include Parallels Plesk Panel versions 7.6.1 – 10.3.1.

The vulnerability has already been fixed by Parallels, the company who makes Plesk, and they have released a micro-update to fix the problem. Administrators should ensure they are using Plesk 8.6 MU#2, 9.5 MU#11, 10.3 MU#5 or 10.4.

For users of Plesk 8.6.0, 9.3.0, and 9.5.5 on Windows there is a patched version of some of the Plesk PHP files (specifically Agent.php) which replaces the existing vulnerable files.

According to Ars Technica, this critical vulnerability appears to have been used to compromise two servers hosting websites for the Federal Trade Commission.

Originally developed by Virginia-based Plesk Inc., and acquired by Parallels (previously known as SWSoft) in 2003, Plesk allows an administrator to create FTP and e-mail accounts, as well as manage other aspects of the associated hosting account. And as with other control panel applications for hosted sites, such as CPanel, it can also draw on an “Application Vault” to install common software packages (i.e., Drupal CMS and WordPress blog software) that are preconfigured for the hosting environment.