cbcvebase.
CVE-2013-4878
published 2013-07-18

CVE-2013-4878: The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for…

PriorityP276high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
31.07%
98.0th percentile
The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823.

Affected

3 ranges
VendorProductVersion rangeFixed in
parallelsparallels_plesk_panel
parallelsparallels_plesk_panel
parallelsparallels_small_business_panel

Detection & IOCsextracted from sources · hover to see the quote

path/phppath/php
urlPOST /phppath/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-n
commandauto_prepend_file=php://input
commandallow_url_include=on
commandopen_basedir=none
  • Detect POST requests to the /phppath/php URI path, which is the misconfigured ScriptAlias endpoint exploited by this CVE. Any POST to this path should be treated as a compromise attempt.
  • Look for PHP CGI argument injection query strings in requests to /phppath/php, specifically parameters such as -d, allow_url_include=on, auto_prepend_file=php://input, open_basedir=none, safe_mode=off, suhosin.simulation=on, and disable_functions="".
  • The exploit masquerades as Googlebot by spoofing the User-Agent header. Correlate Googlebot User-Agent strings with POST requests to /phppath/php as a high-fidelity detection signal.
  • Scanning activity targeting this vulnerability can be identified by GET requests to /phppath/php returning HTTP 500 Internal Server Error, used by attackers to fingerprint vulnerable Plesk hosts at scale.
  • The exploit targets both HTTP (port 80) and HTTPS (port 443). Monitor both ports for the /phppath/php path with PHP CGI argument injection patterns in the query string.
  • ·The vulnerability is specific to the DEFAULT configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX. The improper ScriptAlias directive for 'phppath' must be present; hardened or non-default configurations may not be affected.
  • ·This is a distinct vulnerability from CVE-2012-1823 despite sharing the same PHP CGI argument injection exploitation technique. Detection rules for CVE-2012-1823 may partially overlap but should not be considered equivalent coverage.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.