CVE-2013-4878
published 2013-07-18CVE-2013-4878: The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for…
PriorityP276high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
31.07%
98.0th percentile
The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parallels | parallels_plesk_panel | — | — |
| parallels | parallels_plesk_panel | — | — |
| parallels | parallels_small_business_panel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /phppath/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-n↗
- →Detect POST requests to the /phppath/php URI path, which is the misconfigured ScriptAlias endpoint exploited by this CVE. Any POST to this path should be treated as a compromise attempt. ↗
- →Look for PHP CGI argument injection query strings in requests to /phppath/php, specifically parameters such as -d, allow_url_include=on, auto_prepend_file=php://input, open_basedir=none, safe_mode=off, suhosin.simulation=on, and disable_functions="". ↗
- →The exploit masquerades as Googlebot by spoofing the User-Agent header. Correlate Googlebot User-Agent strings with POST requests to /phppath/php as a high-fidelity detection signal. ↗
- →Scanning activity targeting this vulnerability can be identified by GET requests to /phppath/php returning HTTP 500 Internal Server Error, used by attackers to fingerprint vulnerable Plesk hosts at scale. ↗
- →The exploit targets both HTTP (port 80) and HTTPS (port 443). Monitor both ports for the /phppath/php path with PHP CGI argument injection patterns in the query string. ↗
- ·The vulnerability is specific to the DEFAULT configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX. The improper ScriptAlias directive for 'phppath' must be present; hardened or non-default configurations may not be affected. ↗
- ·This is a distinct vulnerability from CVE-2012-1823 despite sharing the same PHP CGI argument injection exploitation technique. Detection rules for CVE-2012-1823 may partially overlap but should not be considered equivalent coverage. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cv88-cpw9-39c6: The default configuration of Parallels Plesk Panel 9
ghsa_unreviewed·2022-05-17·CVSS 9.8
CVE-2013-4878 [CRITICAL] GHSA-cv88-cpw9-39c6: The default configuration of Parallels Plesk Panel 9
The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823.
VulnCheck
Parallels Plesk Panel and Small Business Panel ScriptAlias Directive Vulnerability
vulncheck·2013·CVSS 9.8
CVE-2013-4878 [CRITICAL] Parallels Plesk Panel and Small Business Panel ScriptAlias Directive Vulnerability
Parallels Plesk Panel and Small Business Panel ScriptAlias Directive Vulnerability
The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823.
Affected: parallels parallels_plesk_panel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blogs.cisco.com/security/plesk-0-day-targets-web-servers; https://blog.sucuri.net/2013/06/plesk-vulnerability-in-the-wild-for-months-before-disclosure.html; https://www.bleepingc
No detection rules found.
No writeups or analysis indexed.
2013-07-18
Published
Exploited in the wild