Details of VAR-201306-0374

ID

VAR-201306-0374

TITLE

Parallels Plesk Panel Arbitrary PHP Code injection vulnerability

Trust: 0.8

sources: IVD: c891cd2a-1f1f-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-06822

DESCRIPTION

Parallels Plesk Panel has an incorrect configuration that incorrectly references '/usr/bin' when calling the PHP path, allowing remote attackers to exploit the vulnerability to submit special requests to execute arbitrary OS commands with WEB privileges. Parallels Plesk Panel is a host control panel solution from Parallels, USA. The solution supports web tools, built-in virtualization, customer experience, and more. An arbitrary PHP code injection vulnerability exists in Parallels Plesk Panel, which stems from the program's insufficient filtering of user-submitted input. An attacker could use this vulnerability to execute arbitrary PHP code in the context of an affected application. Vulnerabilities exist in the following versions: Parallels Plesk Panel 9.5.4, Parallels Plesk Panel 9.3, Parallels Plesk Panel 9.2, Parallels Plesk Panel 9.0, and Parallels Plesk Panel 8.6

Trust: 1.53

sources: CNVD: CNVD-2013-06822 // CNNVD: CNNVD-201306-100 // BID: 60351 // IVD: c891cd2a-1f1f-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: c891cd2a-1f1f-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-06822

AFFECTED PRODUCTS

vendor:	parallels	model:	plesk panel	scope:	eq	version:	8.6	Trust: 0.9
vendor:	parallels	model:	plesk panel	scope:	eq	version:	9.3	Trust: 0.9
vendor:	parallels	model:	plesk panel	scope:	eq	version:	9.5.4	Trust: 0.8
vendor:	parallels	model:	plesk panel	scope:	eq	version:	9.2	Trust: 0.6
vendor:	parallels	model:	plesk panel	scope:	eq	version:	8.6*	Trust: 0.2
vendor:	parallels	model:	plesk panel	scope:	eq	version:	9.2*	Trust: 0.2
vendor:	parallels	model:	plesk panel	scope:	eq	version:	9.3*	Trust: 0.2

sources: IVD: c891cd2a-1f1f-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-06822 // BID: 60351

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2013-06822
value:	HIGH
Trust: 0.6
IVD:	c891cd2a-1f1f-11e6-abef-000c29c66e3d
value:	HIGH
Trust: 0.2

CNVD:	CNVD-2013-06822
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	c891cd2a-1f1f-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: c891cd2a-1f1f-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-06822

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201306-100

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201306-100

EXTERNAL IDS

db:	BID	id:	60351	Trust: 1.5
db:	CNVD	id:	CNVD-2013-06822	Trust: 0.8
db:	CNNVD	id:	CNNVD-201306-100	Trust: 0.6
db:	IVD	id:	C891CD2A-1F1F-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: c891cd2a-1f1f-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-06822 // BID: 60351 // CNNVD: CNNVD-201306-100

REFERENCES

url:	http://seclists.org/fulldisclosure/2013/jun/25	Trust: 0.6
url:	http://arstechnica.com/security/2013/06/more-than-360000-apache-websites-imperiled-by-crticial-vulnerability/	Trust: 0.6
url:	http://www.securityfocus.com/bid/60351	Trust: 0.6
url:	http://www.parallels.com/products/plesk/	Trust: 0.3

sources: CNVD: CNVD-2013-06822 // BID: 60351 // CNNVD: CNNVD-201306-100

CREDITS

Kingcope

Trust: 0.9

sources: BID: 60351 // CNNVD: CNNVD-201306-100

SOURCES

db:	IVD	id:	c891cd2a-1f1f-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2013-06822
db:	BID	id:	60351
db:	CNNVD	id:	CNNVD-201306-100

LAST UPDATE DATE

2022-05-17T02:09:06.679000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-06822	date:	2013-06-07T00:00:00
db:	BID	id:	60351	date:	2013-06-07T22:15:00
db:	CNNVD	id:	CNNVD-201306-100	date:	2013-06-09T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	c891cd2a-1f1f-11e6-abef-000c29c66e3d	date:	2013-06-07T00:00:00
db:	CNVD	id:	CNVD-2013-06822	date:	2013-06-07T00:00:00
db:	BID	id:	60351	date:	2013-06-05T00:00:00
db:	CNNVD	id:	CNNVD-201306-100	date:	2013-06-09T00:00:00