There is a command injection vulnerability in Plesk which is currently being exploited in the wild
Plesk versions 8.6, 9.0, 9.2, 9.3, and 9.5.4
The vulnerability is caused due to PHP misconfiguration in the affected application
The exploit makes use of specially crafted HTTP queries that inject PHP commands. The exploit uses POST request to launch a PHP interpreter and the attacker can set any configuration parameters through the POST request.
The exploit code published calls the PHP interpreter directly with allow_url_include=on, safe_mode=off and suhosin.simulation=on arguments. The allow_url_inlcude argument allows a remote attacker to include any PHP script and “suhosin.simulation” and and is used to put into simulated mode, which results in reduced protection.
Plesk uses a default configuration, scriptAlias/phppath/”/usr/bin/” in Apache which directly calls the /usr/bin directory when an attacker requests for /phppath.
Hence the attacker can easily exploit this vulnerability by calling PHP interpreter with unsafe arguments as follow:
/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on
This vulnerability is easily exploitable with the exploit code available and successful exploitation can result to complete compromise of the system with web service privileges.
Ensure Plesk is patched to latest release version 11