Parallels Plesk SQL injection vulnerability
Description
Parallels Plesk Panel versions 7.x through 10.3.1 contain a SQL injection vulnerability in the Server Administration Panel. The vulnerability exists in a PHP script that fails to properly sanitize user input before using it in SQL queries. Remote attackers can exploit this flaw by sending specially-crafted SQL statements through the vulnerable input field, allowing unauthorized access to the backend database without authentication.
Affected versions:
- Plesk for Linux / Windows 7.x
- Plesk for Linux / Windows 8.x
- Plesk for Linux / Windows 9.x
- Plesk for Linux / Windows 10.0 - 10.3.1
Remediation
Take immediate action to remediate this critical vulnerability:
1. Update Plesk Installation:
- Upgrade to Plesk version 10.4 or later, which addresses this vulnerability
- For systems that cannot be immediately upgraded, install the vendor-provided Micro-Updates specific to your version
- After updating, verify the installed version through the Plesk control panel or by running:
plesk version
- Review server logs for any suspicious SQL-related activity that may indicate prior exploitation
- Implement network-level access controls to restrict access to the Plesk administration panel to trusted IP addresses only
- Enable and review audit logging for all administrative actions
- Change all administrative passwords as a precautionary measure